Cyber Incident Victim: Ministry of Foreign Affairs of South Korea
Date:
Oct 2015
Location:
South Korea
Summary
North Korean hackers infiltrated South Korean government systems, stealing sensitive data from lawmakers' and aides' computers while targeting servers at the Foreign Ministry, Defense Ministry, and presidential Blue House, with some attempts successfully blocked. The breach involved stolen government audit files and followed a pattern of previous cyber intrusions attributed to North Korea, including attacks on nuclear power facilities. The country's intelligence agency confirmed the incidents but noted that Pyongyang denied involvement despite evidence linking prior breaches to North Korean IP addresses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early October 2015, North Korean hackers conducted cyber intrusions targeting multiple South Korean government institutions, including the Ministry of Foreign Affairs, Ministry of Defense, and the presidential Blue House. South Korea's National Intelligence Service (NIS) confirmed during an October 20 parliamentary audit that attackers successfully stole government audit data from three personal computers belonging to National Assembly members. An additional 11 computers used by government aides were compromised, with sensitive information exfiltrated according to opposition lawmaker Shin Kyoung-min. Media reports specified that hackers infiltrated servers at the Foreign Ministry, though the NIS successfully blocked attempted breaches at the Blue House and defense institutions. The spy agency implemented new security protocols at the Blue House following the incident and notified the National Assembly Secretariat about the compromises.
This incident occurred within a documented pattern of North Korean cyber operations against South Korean targets. The NIS had previously attributed the December 2014 breach of Korea Hydro and Nuclear Power servers to North Korean actors, along with attempts to steal sensitive data from energy company employees. Pyongyang denied involvement in the nuclear power plant hack despite Seoul's evidence of reused North Korean IP addresses. During the same October 20 parliamentary session where the Foreign Ministry breach was disclosed, the NIS provided additional assessments about North Korea's military capabilities, stating Pyongyang lacked miniaturized nuclear warhead technology but was preparing for a fourth nuclear test. The agency also reported monitoring North Korea's missile launch preparations while noting decreased activity potentially influenced by China's opposition to such tests. No public statements from the Foreign Ministry regarding specific operational impacts or data classification levels of stolen materials were reported in the disclosed information.