Cyber Incident Victim: South Korea

In late February to early March 2016, North Korean threat actors conducted cyber intrusions targeting senior South Korean government officials through smartphone attacks. The National Intelligence Service (NIS) confirmed attackers sent text messages containing malicious code to compromise devices, successfully infiltrating 20% of targeted smartphones belonging to high-ranking officials. These breaches resulted in theft of call histories, text messages, and voice call recordings. The attackers additionally harvested contact lists from compromised devices, exposing phone numbers of other senior government personnel. Parallel attacks targeted South Korea's cybersecurity infrastructure, with North Korean operatives breaching networks of an unnamed security software vendor whose products were used by 20 million citizens for internet banking. A separate intrusion compromised a smaller security vendor's systems during the same timeframe.

The NIS disclosed these incidents during a March cybersecurity committee briefing attended by representatives from 14 government security and industry agencies. These attacks occurred amid heightened tensions following North Korea's nuclear weapons test in January 2016, which prompted South Korea to elevate its cybersecurity alert level twice within a month. The intelligence service revealed North Korea had established offensive cyber capabilities including 60,000 compromised "zombie" computers within South Korea during 2015, plus 10,000 additional zombie systems across 120 countries by January 2016. Railway control center networks were also subjected to cyber intrusions during this campaign. In response to the escalating threats, South Korea's parliament passed controversial anti-terror legislation in early March after a nine-day filibuster, with national security concerns cited as a primary justification for the new law.