Cyber Incident Victim: South Korea
Date:
Apr 2017
Location:
South Korea
Summary
Chinese state-linked hacking groups targeted South Korean military officials involved in deploying the THAAD missile defense system, according to cybersecurity firm FireEye. The attackers used spear-phishing emails with malicious attachments to infiltrate systems, successfully compromising at least one individual. Two groups were identified: the Tonto Team, associated with northern China and North Korean operations, and APT10, believed connected to Chinese military intelligence. The cyber-espionage campaign aimed to disrupt the anti-ballistic missile shield deployment, which China had publicly opposed. FireEye attributed the activity to China's strategic efforts to counter the defense system's installation in the country.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In April 2017, cybersecurity firm FireEye reported that Chinese state-sponsored hacking groups had targeted South Korean military entities involved in the deployment of the Terminal High Altitude Area Defense (THAAD) missile defense system. The attacks commenced after South Korea agreed to host THAAD components, a decision China opposed due to regional security concerns. FireEye identified two distinct threat groups: Tonto Team, operating from northern China with suspected links to North Korean cyber operations, and APT10, a long-standing group associated with Chinese military intelligence. Both groups employed spear-phishing emails containing weaponized attachments directed at South Korean officials and defense personnel. At least one recipient compromised their system by interacting with the malicious payload, enabling unauthorized access. FireEye attributed the campaign’s discovery to operational security failures by the attackers, which allowed their activities to be monitored and traced. The primary objective appeared to disrupt THAAD’s implementation, which China viewed as a strategic threat.
The incident represented an escalation in cyber operations targeting military infrastructure amid geopolitical tensions. FireEye disclosed these findings to the Wall Street Journal on April 21, 2017, though specific technical indicators, victim identities, or data exfiltrated were not publicly detailed. The targeting focused on personnel and systems critical to THAAD’s deployment rather than broader civilian infrastructure. No South Korean government confirmation or denial of the breaches was reported at the time. The campaign underscored China’s willingness to employ cyber-espionage tools to counter perceived security threats, aligning with its diplomatic objections to THAAD. FireEye’s attribution relied on observed tactics, infrastructure, and historical patterns linking the groups to Chinese state interests. The incident highlighted persistent vulnerabilities in military supply chains to socially engineered attacks despite heightened regional tensions.