Cyber Incident Victim: South Korean National Tax Service
Date:
Mar 2023
Location:
South Korea
Summary
The LockBit ransomware gang announced a cyberattack against the South Korea National Tax Service, claiming to have exfiltrated data. The group threatened to release the stolen information publicly if a ransom was not paid by a specified deadline. While the gang ultimately announced the publication of this data, the actual release was not immediately confirmed. A breach of the tax service poses a severe risk to citizen privacy due to the sensitive personal and financial information the agency collects.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 29, 2023, the LockBit ransomware gang publicly announced it had successfully compromised the South Korean National Tax Service (NTS). The group added the South Korean agency to its Tor-based data leak site, a platform frequently used by the gang to list its victims and threaten the public release of stolen data. The announcement served as the initial public confirmation of the security incident. The group set a definitive deadline, stating that if their ransom demands were not met, they would publish the data they had exfiltrated from the tax agency's systems by April 1st, 2023. This gave the victim a very short window of approximately three days to respond to the extortion attempt.
The National Tax Service of South Korea is a major government agency primarily responsible for the assessment and collection of internal taxes. It was established as an external organization of the Ministry of Finance on March 3, 1966. Its functions involve handling vast quantities of sensitive citizen data. The types of information managed by such a tax service agency typically include highly personal and financial details of citizens and businesses. This can encompass national identification numbers, income records, tax filing history, and other confidential financial information. The compromise of such data represents a significant threat to individual privacy and security.
The deadline set by the LockBit gang passed on April 1st. Following this, the group updated its leak site to announce the publication of the stolen information. This action indicated that the ransom was not paid or that negotiations between the threat actors and the victim had failed to reach a resolution acceptable to the attackers. The public declaration of the data's release was the next step in LockBit's double-extortion tactic, where data is both encrypted and stolen, with the threat of release used as additional leverage to force a payment.
However, following the announcement of the publication, the actual data had not yet been made available on the leak site at the time the reporting article was written. There was a discrepancy between the gang's claim to have released the data and its immediate public availability. The delay in the actual publication of the data sets was observed, leaving the status of the data's release as not yet fully realized in the public sphere despite the gang's statements. The authenticity of the hack itself, while announced by the group, had not been independently verified at the time of the report, and the specific volume and precise content of the allegedly exfiltrated data remained unconfirmed by external parties.
The potential impact of such a data breach is severe due to the nature of the information held by the National Tax Service. The personal and financial data collected by tax authorities is among the most sensitive information a government holds on its citizens. If the stolen data were to be published, it could be exploited by threat actors for a wide range of criminal activities. The primary risks include financial fraud, sophisticated phishing campaigns, and identity theft. Malicious actors could use the information to impersonate individuals, apply for credit, file fraudulent tax returns, or gain unauthorized access to other financial accounts. The scale of such a breach could affect a substantial portion of the South Korean population, leading to widespread privacy violations and financial harm.
The incident demonstrated the continued high level of activity of the LockBit ransomware operation throughout the period. The group was reported to have added approximately 100 new victims to its leak site during the month of March 2023 alone, indicating a prolific and aggressive campaign of attacks against organizations worldwide. The targeting of a national tax service agency represents a significant escalation in the boldness of ransomware groups, focusing on critical government infrastructure that manages essential citizen data. The attack on the South Korean National Tax Service fits within a broader pattern of ransomware groups increasingly targeting high-profile public sector organizations to maximize pressure for ransom payments. The event underscores the ongoing global challenge posed by sophisticated ransomware syndicates to both public and private sector entities.