Cyber Incident Victim: Korean Research Institute for Construction Policy
Date:
Jan 2023
Location:
South Korea
Summary
A Chinese-language hacktivist group known as Xiaoqiying targeted multiple South Korean research and academic entities, including the Korean Research Institute for Construction Policy, in late January. The attackers exfiltrated data—claiming 54 gigabytes—and defaced websites with messages indicating an invasion. Utilizing penetration-testing tools and proof-of-concept exploits, the group shared stolen information on cybercriminal forums and touted partnerships with groups like Lapsus$. Motivated by patriotism toward China, they expanded operations to Japan and Taiwan, maintaining activity through a clearnet website after their Telegram channels were shut down. No direct government links were established, but their non-financial focus suggests ideological drivers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 25, 2023, a Chinese-language threat group known as Xiaoqiying, Genesis Day, or Teng Snake initiated cyberattacks against multiple South Korean research and academic institutions, including the Korean Research Institute for Construction Policy, the Korean Archaeological Society, the Woorimal Academic Society, and the Korean Academy of Basic Medicine & Health Science. The attacks involved data exfiltration and website defacement, with threat actors exploiting internet-facing devices using popular penetration-testing tools and proof-of-concept exploit code. The group claimed to have stolen 54 gigabytes of data from targeted organizations, later leaking portions on cybercriminal forums like BreachForums and Ramp Forum. Website defacements included generic error pages or warnings stating the “Korean Internet” had been “invaded.” Researchers from Recorded Future’s Insikt Group identified the group’s activities through analysis of its Telegram channels, which had over 700 subscribers before being shut down in February 2023 following media coverage of the South Korean incidents.
The threat group operated as an ideologically driven hacktivist collective motivated by patriotism toward China, with no evidence of financial objectives or direct ties to the Chinese government. Insikt Group obtained leaked data, malware source code, U.S. government-related files, and credit card information from the group’s Telegram channels, which also contained unverified claims of attacks against entities like the FBI, Samsung, Ukraine, and South Korea’s Ministry of Health and Defense. The group recruited members via Telegram and touted alleged partnerships with groups such as Lapsus$, Hive ransomware, Pakistani hackers, and Russian government actors, though these claims lacked verification. After Telegram shutdowns, affiliated actors continued operations via a clearnet website, with one member (“uetus”) claiming an April 5 compromise of National Taiwan University involving 25 GB of leaked data. The domain used for this activity traced to a Cloudflare IP address linked to APT36, a Pakistan-linked threat group. Historical context indicates Chinese-based actors have persistently targeted South Korean organizations for geopolitical and financial reasons, including a separate September 2022 campaign by Chinese military-linked hackers against South Korean corporations documented by Symantec.