Cyber Incident Victim: Ministry of National Defense (South Korea)
Date:
Oct 2015
Location:
South Korea
Summary
North Korean hackers infiltrated South Korean government systems, stealing sensitive data from National Assembly members' computers and aides' devices while attempting breaches against the presidential Blue House, Defense Ministry, and Foreign Ministry. The country's intelligence agency blocked attacks on high-profile targets but confirmed successful theft of audit information and classified materials. This incident followed a pattern of previous cyber intrusions attributed to North Korea, including attacks on nuclear power infrastructure, despite Pyongyang's consistent denials of involvement. Security enhancements were implemented at critical government facilities following the breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early October 2015, North Korean hackers infiltrated multiple South Korean government systems, compromising sensitive data across critical institutions. The National Intelligence Service (NIS) confirmed that attackers stole government audit files from three personal computers belonging to National Assembly members during this intrusion. Eleven additional computers used by government aides were breached, with opposition lawmaker Shin Kyoung-min disclosing the theft of sensitive information from these devices. The cyber campaign extended to servers at Seoul’s presidential Blue House, Foreign Ministry, and Defense Ministry, though the NIS successfully intercepted the attempts targeting the Blue House and ministerial systems. Chosun Ilbo reported the hackers’ broader objective involved cybertheft operations across these high-value targets. This incident followed a pattern of North Korean cyber aggression, including the December 2014 breach of Korea Hydro and Nuclear Power servers and prior attempts to extract sensitive data from South Korean employees.
South Korean authorities responded by implementing enhanced security measures at the Blue House and notifying the National Assembly Secretariat of the breach, as ruling party lawmaker Lee Cheol-woo disclosed during a parliamentary audit. The NIS publicly attributed the attacks to North Korea, citing historical evidence such as reused North Korean IP addresses from earlier intrusions, though Pyongyang denied involvement and dismissed Seoul’s conclusions as unfounded. During the same October 20 parliamentary audit, the NIS provided additional context on North Korea’s military capabilities, stating Pyongyang lacked miniaturized nuclear warhead technology and showed no signs of imminent long-range missile tests, while confirming preparations for a fourth nuclear test. The incident underscored persistent vulnerabilities in South Korea’s government networks and the operational continuity of North Korean cyber espionage campaigns targeting strategic national assets.