Cyber Incident Victim: North Gyeongsang resettlement centre
Date:
Dec 2018
Location:
South Korea
Summary
A malicious code infection on a computer at a South Korean resettlement center compromised personal data—including names, birth dates, and addresses—of nearly 1,000 North Korean defectors, marking the first large-scale breach of such information. While the attackers' origin remains unconfirmed, experts noted prior North Korean cyber group activity targeting defector communities and expressed concerns that the leak could endanger relatives still in the North, potentially prompting defectors to alter their personal details for safety. Investigations by authorities are ongoing, with the unification ministry pledging enhanced preventive measures. The incident underscores broader cybersecurity threats linked to North Korean actors, who have historically exploited asymmetric cyber capabilities due to attribution challenges.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 19, 2018, South Korea's Unification Ministry discovered a malicious program installed on a desktop computer at the North Gyeongsang resettlement center, one of 25 state-run Hana centers assisting approximately 32,000 North Korean defectors with social integration. The ministry publicly confirmed the breach on December 28, revealing that personal information of 997 defectors—including names, birth dates, and residential addresses—had been compromised through this cyber intrusion. This marked the first documented large-scale data leak involving North Korean defectors in South Korea. Forensic analysis determined the breach originated from malware infection on a single workstation, though investigators couldn't immediately confirm the attackers' identity or geographical origin. The ministry and national police launched joint investigations to determine the intrusion vector and full scope of compromised systems.
The data breach raised immediate concerns about potential risks to defectors' family members remaining in North Korea, where authorities might not have official records of their relatives' defections. International NGO Liberty in North Korea warned the incident could erode defectors' sense of security, potentially forcing individuals to change identities, phone numbers, or residences as precautionary measures. Cybersecurity expert Simon Choi noted historical targeting of defector communities by specific North Korean hacking groups, referencing an unsuccessful 2017 intrusion attempt against another Hana center, though no conclusive evidence linked this breach to North Korean actors. The Unification Ministry pledged enhanced security protocols across all resettlement facilities while continuing operational support for defectors. Concurrent investigations focused on malware analysis and intrusion patterns, with officials acknowledging the persistent challenge of attributing cyberattacks due to North Korea's limited internet infrastructure and advanced obfuscation techniques employed by state-sponsored threat actors.