Cyber Incident Victim: National Assembly of South Korea
Date:
Oct 2015
Location:
South Korea
Summary
North Korean hackers infiltrated computers belonging to South Korean National Assembly lawmakers and government aides, stealing sensitive data including government audit files. The attackers also targeted servers at the presidential Blue House, Foreign Ministry, and Defense Ministry, though security agencies blocked these attempts. Following the breach, new security measures were implemented at affected institutions. The incident aligns with a pattern of North Korean cyber operations, including prior intrusions at a nuclear power company and attempts to steal sensitive employee information, though Pyongyang has consistently denied involvement in such activities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early October 2015, North Korean hackers conducted cyber intrusions targeting South Korean government entities, including the National Assembly and presidential offices. The attackers compromised three personal computers belonging to South Korean National Assembly members, stealing government audit data. An additional 11 computers used by government aides were breached, resulting in theft of sensitive information. Simultaneous hacking attempts targeted servers at Seoul's presidential Blue House, Foreign Ministry, and Defense Ministry. South Korea's National Intelligence Service (NIS) successfully intercepted and blocked the infiltration attempts against the Blue House and ministerial servers. The attacks were disclosed during a parliamentary audit on October 20, 2015, where ruling party lawmaker Lee Cheol-woo confirmed immediate security enhancements at the Blue House and notification of the National Assembly Secretariat about the breaches. Opposition lawmaker Shin Kyoung-min publicly revealed the scale of legislative branch compromises during the same audit session.
This incident occurred within a documented pattern of North Korean cyber operations against South Korean infrastructure. The NIS had previously attributed the December 2014 breach of Korea Hydro and Nuclear Power servers to North Korean actors, along with multiple attempts to steal sensitive data from energy sector employees. Pyongyang consistently denied involvement in such operations, dismissing Seoul's evidence—including the identification of North Korean IP addresses in previous breaches—as "ignorant, heavy-handed and nonsensical." During the October 20 parliamentary audit, the NIS provided additional context about North Korea's military capabilities, stating the regime lacked miniaturized nuclear warhead technology and showed no preparations for long-range missile tests, though they confirmed Pyongyang was advancing toward a fourth nuclear test. The intelligence agency suggested North Korea might be aligning its military posture with China's opposition to missile provocations. The data theft from legislative computers represented a direct compromise of South Korea's parliamentary oversight functions, while the blocked executive branch intrusions demonstrated continued targeting of core government institutions.