Cyber Incident Victim: LG Electronics
Date:
Aug 2017
Location:
South Korea
Summary
A South Korean consumer electronics company experienced a ransomware incident when WannaCry malware infected self-service kiosks at a service center. The attack prompted immediate network access restrictions to contain the spread, resulting in a two-day system outage while security updates were applied. Analysis by the national cybersecurity agency confirmed the ransomware variant, which exploited known vulnerabilities in unpatched Windows systems. No data loss occurred during the incident, and the organization did not pay any ransom demands. All affected unmanned terminals resumed normal operations following remediation efforts, though the initial infection vector remained under investigation at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On August 14, 2017, LG Electronics experienced a ransomware incident affecting self-service kiosks at its service centers in South Korea. The company identified malicious code causing operational disruptions and engaged the Korea Internet & Security Agency (KISA) for analysis, which confirmed the malware as WannaCry. This ransomware variant, known for leveraging the EternalBlue exploit developed by the NSA and leaked earlier that year, had previously caused global disruptions in May 2017 by infecting over 300,000 Windows systems, including high-profile targets like the UK's National Health Service. LG's infection occurred despite the availability of Microsoft's emergency patch and the activation of a killswitch discovered by security researcher Marcus Hutchins months earlier. The compromised systems were unmanned reception terminals used for customer self-service functions. Upon detection, LG immediately implemented network access restrictions at the affected service center to contain the malware and prevent lateral movement across corporate systems. This containment effort required taking infected terminals offline for two days, disrupting normal operations at some facilities. The company maintained that no customer or corporate data was exfiltrated or permanently encrypted during the incident, and no ransom payment was made to attackers.
LG restored all affected kiosks to normal functionality by August 16 following system isolation and remediation efforts. The company completed security updates across all infected terminals to address vulnerabilities exploited by WannaCry, though the initial attack vector remained under joint investigation by LG and KISA at the time of reporting. The incident did not expand beyond the initially compromised service center due to the swift containment measures. Operational impacts were limited to temporary service delays at some locations during the two-day outage. LG emphasized that core business systems and production facilities remained unaffected throughout the event. Forensic analysis confirmed the ransomware's identity through code examination but yielded no immediate conclusions about how WannaCry breached the kiosk systems, particularly given existing patches and security protocols developed after the malware's initial global outbreak. The investigation continued to focus on potential entry points specific to the kiosk infrastructure.