Cyber Incident Victim: Hanjin Heavy Industries
Date:
Apr 2016
Location:
South Korea
Summary
A South Korean defense contractor specializing in naval vessel production was targeted in a cyberattack suspected to involve North Korean state-sponsored actors. South Korean authorities investigated potential military secret leaks and attributed the breach to North Korea's cyber units, including Bureau 121 and the Lazarus Group—previously linked to major international incidents. The attack formed part of a broader pattern of intrusions against the country's defense industrial base, though Pyongyang denied involvement and dismissed the allegations as politically motivated fabrications.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 20, 2016, South Korean authorities detected signs of a cyber intrusion targeting Hanjin Heavy Industries, a major defense contractor responsible for manufacturing naval vessels and amphibious assault ships, including the ROKS Dokdo. The Defense Security Command initiated a security investigation to determine whether military secrets had been compromised and to assess potential North Korean involvement. While specific technical details of the attack vector, compromised systems, and data exfiltration scope were not publicly disclosed, the breach represented a continuation of security incidents affecting South Korea's defense industrial base. This followed intrusions in November 2015 against LIG Nex1 and the Agency for Defense Development – both critical entities in South Korea's military technology sector, particularly regarding AESA radar development. Government officials maintained operational secrecy during the investigation but acknowledged the incident through anonymous statements to Yonhap News Agency.
South Korean authorities attributed the attack to North Korean state-sponsored actors, citing similarities to previous operations conducted by elite hacking units such as Bureau 121 – a cyber warfare group reportedly operating under North Korea's General Bureau of Reconnaissance. The Lazarus Group, previously implicated by security researchers in the 2014 Sony Pictures hack and formally attributed to North Korea by the U.S. government, was referenced as demonstrating Pyongyang's advanced cyber capabilities. North Korea's government denied responsibility, dismissing the allegations as politically motivated fabrications. The incident highlighted persistent vulnerabilities in South Korea's defense supply chain, with potential consequences including the compromise of sensitive naval platform specifications and amphibious warfare capabilities. No public evidence was presented to substantiate the extent of data loss or specific military systems affected by the breach.