Cyber Incident Victim: South Korea's Defense Integrated Data Center
Date:
Jan 2016
Location:
South Korea
Summary
North Korean hackers breached South Korea's Defense Integrated Data Center, accessing portions of the OPlan 5027 military strategy detailing allied troop deployments and first-strike targets for regional conflict scenarios. The intrusion compromised approximately 2,000 internet-connected and 700 intranet-connected systems via malware associated with North Korean operatives based in China, though defense officials initially minimized the incident's severity. Investigators questioned 40 individuals while military authorities debated modifying the compromised war plans. The breach followed a prior security incident involving unauthorized transfer of similar strategic documents. Confidentiality impacts remained unclear despite confirmed theft of sensitive materials, with government sources acknowledging challenges in assessing the full scope of exfiltrated data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-2016, North Korean hackers breached South Korea’s Defense Integrated Data Center, a critical cyber infrastructure hub, compromising portions of OPlan 5027—a classified military strategy jointly developed by South Korea and the United States to coordinate allied responses to regional conflict. The stolen documents included details on first-strike targets, troop deployments, and contingency protocols. South Korean Defense Ministry officials initially downplayed the incident but confirmed the theft of sensitive materials, acknowledging that approximately 2,000 internet-connected computers and 700 intranet-connected systems were infected with malware attributed to North Korean hacking groups operating from China. While one ministry source asserted hackers accessed only "portions of the plan," another government official admitted it was "difficult to gauge" the full scope of exfiltrated data. OPlan 5027, first drafted in the late 1970s and updated biennially since 1994, had been supplemented in 2015 by OPlan 5015, which adopted a more aggressive posture toward neutralizing nuclear delivery systems. Following the breach, South Korean military officials debated whether to revise the compromised war plans due to North Korea’s potential possession of their contents.
The 2016 intrusion mirrored a 2009 incident in which OPlan 5027 was leaked after a South Korean officer transferred the documents via an unsecured USB drive, allowing North Korean hackers based in China to potentially acquire the data. In response to the 2016 breach, South Korean authorities interrogated 40 individuals connected to the incident, though no disciplinary actions or procedural changes were disclosed publicly. The breach occurred amid escalating regional tensions, including increased missile tests by North Korea and public threats of unilateral military action by U.S. President Donald Trump in 2017. Concurrently, cybersecurity firm Kaspersky Lab documented North Korean hackers’ involvement in global financial sector attacks, underscoring the regime’s expanding cyber capabilities. South Korean officials did not confirm whether the stolen OPlan 5027 data influenced North Korea’s subsequent military posturing or strategic decisions.