Cyber Incident Victim: Korean Archaeological Society

The Chinese-language threat group Xiaoqiying, also known as Genesis Day or Teng Snake, initiated cyberattacks against twelve South Korean research and academic institutions beginning January 25, 2023. Among the confirmed targets were the Korean Archaeological Society, the Korean Research Institute for Construction Policy, the Woorimal Academic Society, and the Korean Academy of Basic Medicine & Health Science. The group exploited internet-facing devices using popular penetration-testing tools and proof-of-concept exploit code to infiltrate networks. Their operations involved data exfiltration, with the group claiming to have stolen 54 gigabytes of data across multiple victims. They additionally defaced compromised websites, replacing content with generic error pages or messages declaring the "Korean Internet" had been "invaded." Xiaoqiying utilized two Telegram channels—one for public announcements and another for coordination with hackers and followers—to recruit members, share stolen data, and make unverified claims of compromising high-profile entities like Samsung, the FBI, and South Korea’s Ministry of Health and Defense. These channels, which had over 700 subscribers, were shut down in February 2023 following media coverage of the attacks. Prior to the shutdown, the group leaked portions of stolen data on cybercriminal forums BreachForums and Ramp Forum, though they were later banned from Ramp Forum for allegedly hiding malware in download links.

Insikt Group researchers from Recorded Future analyzed the group’s activities, recovering leaked data, malware source code, tools, U.S. government-related files, and credit card information from the Telegram channels. The investigation revealed Xiaoqiying’s primary motivation as patriotic allegiance to China, with no evidence of financial objectives or direct ties to the Chinese government. The group’s Telegram posts and clearnet website—established on January 5, 2023—indicated planned attacks against entities in Japan, Taiwan, and NATO countries perceived as hostile to China. After the Telegram shutdown, affiliated actors continued operations via the clearnet site, with one member ("uetus") claiming an April 5 compromise of National Taiwan University involving a 25 GB data leak. The domain for this activity traced to a Cloudflare IP address linked to APT36, a Pakistan-based threat group. While Xiaoqiying boasted partnerships with groups like Lapsus$, Hive ransomware, Pakistani hackers, and Russian state actors, these claims remained unverified. The FBI’s March 2023 takedown of BreachForums disrupted some of the group’s data-leaking activities. Recorded Future’s analysis concluded the attacks aligned with broader patterns of China-aligned cyber activity targeting South Korea, including financially motivated campaigns by criminal gangs and a separate September 2022 campaign by Chinese military-linked hackers against South Korean corporations.