Cyber Incident Victim: Korean Academy of Basic Medicine & Health Science
Date:
Jan 2023
Location:
South Korea
Summary
A Chinese-language hacktivist group known as Xiaoqiying targeted multiple South Korean academic and research institutions, including the Korean Academy of Basic Medicine & Health Science, in data exfiltration attacks. The group, motivated by patriotism toward China, stole sensitive information—claiming 54 gigabytes of data—and defaced websites with messages declaring the "Korean Internet" had been "invaded." They exploited internet-facing devices using penetration-testing tools and proof-of-concept exploits, recruiting members via Telegram channels later shut down. While no direct government ties were confirmed, the group's non-financial focus and geopolitical targeting aligned with broader Chinese cyber activity. They also claimed subsequent attacks against entities in Japan and Taiwan, sharing stolen data on cybercriminal forums.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Chinese-language threat group known as Xiaoqiying, Genesis Day, or Teng Snake initiated cyberattacks against multiple South Korean research and academic institutions beginning on January 25, 2023. Among the targeted organizations was the Korean Academy of Basic Medicine & Health Science. The group conducted data exfiltration attacks, exploiting internet-facing devices using popular penetration-testing tools and proof-of-concept exploit code. They operated two Telegram channels—one for announcements and another for recruitment—which collectively had over 700 subscribers before being shut down in February following media coverage of the attacks. Through these channels, the group claimed to have stolen 54 gigabytes of data from various victims, though many of their assertions—including compromises of entities like the FBI, Samsung, and South Korea’s Ministry of Health—remained unverified. The actors defaced websites by replacing content with generic error pages or messages declaring the "Korean Internet" had been "invaded."
Insikt Group researchers analyzed leaked materials from the Telegram channels, recovering stolen data, malware source code, U.S. government-related files, and credit card information. The group shared some exfiltrated data on cybercriminal forums like BreachForums—later seized in an FBI-led operation—and Ramp Forum, where they were banned for embedding malware in download links. Despite the Telegram shutdowns, affiliated actors continued operations via a clearnet website created on January 5, 2023. One member ("uetus") claimed an April 5 breach of National Taiwan University, leaking 25 GB of data, though the depth of access was unclear. Researchers linked the group’s domain to a Cloudflare IP associated with APT36, a Pakistan-linked threat actor. No direct ties to the Chinese government were identified, but the group’s non-financial motivations—emphasizing patriotism and targeting entities deemed hostile to China—suggested ideological drivers. The attacks aligned with broader patterns of China-nexus cyber activity against South Korean entities, including prior campaigns by military-linked hackers.