Cyber Incident Victim: Seoul Metro
Date:
Jul 2015
Location:
South Korea
Summary
A Seoul subway operator experienced a cyberattack compromising two servers managing company computers, enabling unauthorized access to 213 systems. Malicious code infected 58 devices, leading to the theft of 12 internal documents related to human resources and operational management. The National Intelligence Service attributed the breach to an Advanced Persistent Threat group, noting similarities to a prior attack suspected of North Korean origin, though insufficient log data prevented definitive attribution. The operator confirmed subway safety systems remained unaffected due to isolation from the compromised network. Remediation included mass PC formatting and enhanced security protocols. The organization reported a significant increase in annual cyberattack attempts, nearing previous yearly totals within months.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In July 2014, two servers managing Seoul Metro's internal computer systems were compromised by unauthorized actors, enabling access to 213 company computers. The breach was disclosed on October 5, 2015, following a National Intelligence Service (NIS) report cited by lawmaker Ha Tae-keung. Of the affected systems, 58 computers were confirmed infected with malicious code, leading to the exfiltration of 12 internal documents. The NIS attributed the attack to Advanced Persistent Threat (APT) tactics, noting technical similarities to the March 2013 cyberattacks against South Korean broadcasters and financial institutions that were previously linked to North Korean operatives. Investigators could not identify the initial intrusion vector or code origin due to inadequate server log retention. Seoul Metro confirmed the compromised servers managed employee workstations but emphasized no connection to operational subway control systems, which operated on physically segregated networks.
The stolen data consisted exclusively of non-critical human resources and administrative documents according to Seoul Metro, with no safety-critical infrastructure impacted. Following forensic analysis, the organization initiated a full reformatting of all workstations in 2014 alongside enhanced cybersecurity protocols. Despite limited operational disruption, the incident highlighted persistent targeting of the transit operator, with Seoul officials documenting over 350,000 cyberattack attempts against Metro systems in the first nine months of 2015 alone – nearing the total volume recorded for all of 2014. No further data leaks or system compromises were publicly confirmed following the remediation efforts.