Cyber Incident Victim: Korea Institute for Advanced Study
Date:
Jan 2023
Location:
South Korea
Summary
A Chinese-language hacktivist group known as Xiaoqiying, Genesis Day, or Teng Snake targeted multiple South Korean academic and research institutions through data exfiltration attacks and website defacements, replacing content with messages declaring an invasion of the "Korean Internet." The attackers exploited internet-facing devices using penetration-testing tools and proof-of-concept exploits, stealing approximately 54 gigabytes of data which was later leaked on cybercriminal forums. Motivated by patriotism toward China rather than financial gain, the group also claimed subsequent compromises of organizations in Japan and Taiwan. Researchers identified the actors' use of Telegram channels for recruitment and announcements, alongside a clearnet website to promote activities, though no direct ties to the Chinese government were established.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A Chinese-language threat group known as Xiaoqiying, Genesis Day, or Teng Snake initiated cyberattacks against multiple South Korean research and academic institutions beginning on January 25, 2023. The targeted organizations included the Korean Research Institute for Construction Policy, the Korean Archaeological Society, the Woorimal Academic Society, and the Korean Academy of Basic Medicine & Health Science, among others. The group exploited internet-facing devices using popular penetration-testing tools and proof-of-concept exploit code to infiltrate networks. Attackers exfiltrated approximately 54 gigabytes of data, which they later leaked on cybercriminal forums such as BreachForums and Ramp Forum. They also defaced victim websites, replacing content with generic error pages or messages declaring the "Korean Internet" had been "invaded." The group operated two Telegram channels for recruitment and announcements, which collectively had over 700 subscribers before being shut down in February 2023 following media coverage of the attacks.
Insikt Group researchers analyzed the group’s activities, determining its primary motivation was patriotism toward China rather than financial gain. The threat actors made unverified claims of compromising high-profile targets, including South Korea’s Ministry of Health, Defense Ministry, Samsung’s internal intranet, and entities in the U.S., Ukraine, Japan, and Taiwan. They alleged partnerships with groups like Lapsus$, the Hive ransomware operation, Pakistani hackers, and Russian state actors, though no direct ties to the Chinese government were identified. After their Telegram channels were disbanded, affiliated actors continued operations via a clearnet website created on January 5, 2023, hosted on a Cloudflare IP address linked to Pakistan-based APT36. One member using the alias "uetus" claimed a subsequent breach of National Taiwan University on April 5, leaking 25 GB of data. Researchers recovered stolen files, malware source code, U.S. government-related documents, and credit card data from the group’s channels, but no containment or remediation efforts by victim organizations were detailed in the available information.