“It was by accident,” Saber told The Diplomat when asked how the white hat hacker and their partner cyb0rg discovered what appears to be one of the most comprehensive known penetrations of the South Korean government’s digital infrastructure in recent memory.
The two independent security researchers, only identified by their pseudonyms, claim to have compromised a workstation they attributed to Kimsuky, North Korea’s state-sponsored cyber espionage group. They published their findings in August through the hacker magazine Phrack at the annual DEF CON hacker conference in Las Vegas.
Their 8.9GB data dump triggered intense debate about who was really behind the systematic breach of South Korea’s most sensitive systems, and how it could ever have happened.
What the Hackers Found
The leaked data shows deep, sustained access to South Korea’s government backbone. At the center is the Onnara system, the government’s operational platform that handles document, inter-ministry communications, and knowledge management across central and local agencies.
Technical evidence shows the operator maintained active access to Onnara with custom automation tools and session management capabilities. The dump also revealed compromised email credentials for multiple accounts at the Defense Counterintelligence Command, with phishing attacks continuing until just days before publication.
The breach extended across multiple government institutions. The data includes complete source code from the Ministry of Foreign Affairs’ email platform, alongside evidence of targeting the Supreme Prosecutor’s Office and compromising the Ministry of Unification through brute-force attacks against the ministry’s domain. The dump also contains thousands of GPKI digital certificates – the cryptographic keys securing official communications – along with cracked passwords that protected them.
Telecommunications were also hit. The dump shows access to LG Uplus and credential collections indicating penetration of KT’s infrastructure. These firms are two of South Korea’s three major telecom operators.
Overall, the operator maintained extensive phishing campaigns, malware, and vast credential databases spanning multiple sectors.
The Attribution Puzzle
Based on technical analysis, there is broad consensus that the operations were conducted from China. Browser histories show the operator repeatedly used Google Translate to convert Korean text into simplified Chinese and followed work schedules matching Chinese holidays. Researchers from Korea University’s Graduate School of Information Security found Chinese-language documentation across the operator’s systems, notes written in Chinese characters, and browsing patterns focused on Chinese security websites. Spur, which specializes in proxy infrastructure analysis, traced much of the activity to WgetCloud, a Chinese proxy service predominantly used by China-based users.
Michael “Barni” Barnhart from DTEX, who has extensively tracked North Korean operations, told The Diplomat that “the infrastructure and malware used in these operations do not align with known APT43 tradecraft,” referring to the industry designation for North Korea’s Kimsuky. “The technical signatures, deployment methods, and operational patterns diverge significantly from previously observed APT43 campaigns,” he added. His assessment pointed to linguistic elements in malware communications suggesting “a lower-tier PRC-aligned actor.”
S2W, a South Korean cybersecurity firm, assessed that the actor was “unlikely to be directly associated with the North Korea-linked threat group Kimsuky,” citing inconsistent operational patterns and different toolsets from known Kimsuky operations.
But experts remain sharply divided on who was actually controlling these China-based operations. Some believe Chinese actors were working independently for Chinese intelligence interests. Others point to potential China-North Korea collaboration, given the documented precedent of North Korean operations from Chinese territory. Proponents of this view include Saber, who told The Diplomat that they believe the hacked hacker “is a Chinese national working from China and for both Chinese and North Korean government interests.”
A third theory suggests North Korea outsourced operations to Chinese contractors. The workstation involved was configured for the Korean time zone and its targets aligned with Kimsuky’s traditional focus on South Korean government institutions, potentially suggesting North Korean direction despite Chinese execution.
Barnhart noted that APT43 “is not assessed to be in a position of intelligence scarcity that would necessitate outsourcing to non-DPRK entities,” though such arrangements might “more plausibly align with Russian interests.”
The fourth possibility involves sophisticated Chinese false flag operations designed to implicate North Korea while pursuing separate intelligence objectives.
Seoul’s Fragmented Response
South Korea’s response has focused on damage control rather than accountability, likely reflecting both the scale and sensitivity of the hack, especially given the China connection.
Presidential spokesperson Kang Yu-jung claimed “no accurate information” when questioned about the breaches, deflecting to the Ministry of National Defense (MND). The MND has yet to comment publicly on the incident. When The Diplomat approached the Korea Internet & Security Agency, the agency deflected to the Ministry of Science and ICT (MSIT).
When approached directly, MSIT issued a brief statement: “MSIT is responsible for cyber threat response in the private information and communications sector, so we ask for your understanding that it is difficult to answer your questions.”
The Ministry of Unification acknowledged the incident, stating it had been “aware of security vulnerabilities in advance through cooperation with related agencies and completed measures.” The ministry confirmed implementing “security education for all staff” and strengthening “operational system security measures” following the breach.
Professor Kim Seung-joo from Korea University has been a vocal critic of the government, highlighting the absence of a cybersecurity “control tower.” At a recent parliamentary hearing into the KT and LG Uplus breaches – which mirrored a separate breach of SK Telecom, the country’s largest telecoms company – Kim said, “Our country’s government needs to think about how our intelligence capabilities are not even as good as two foreign hackers.”
When asked whether the breach constituted a national security crisis beyond mere data theft, he replied, “Yes, I see it that way.”
Seoul’s muted response could reflect diplomatic sensitivities around potential Chinese involvement. President Lee Jae-myung’s “pragmatic” diplomacy has sought improved relations with Beijing, with bilateral summit talks under consideration when President Xi Jinping visits for the upcoming APEC leaders’ meeting at the end of October. Direct attribution to China could complicate these efforts.
Beyond the diplomatic angle, confirmation of the link to China could potentially inflame anti-China sentiment and conspiracy theories, which have manifested in recent far-right rallies. The government is keen to diffuse these narratives.
A Systematic Campaign
The government’s lack of response becomes more concerning when viewed alongside evidence of widespread penetration across South Korea’s critical infrastructure.
According to data obtained by lawmakers, there were over 9,000 cyber intrusion attempts against military networks in the first half of 2025 alone, up 36 percent from 2023.
The Ministry of Health and Welfare and its agencies also faced over half a million hacking attempts by August 2025, up 151 percent from 2022. The ministry has seen a staggering 4,813 percent increase in targeting compared to 2022.
Yet despite planned increases in overall cybersecurity spending for 2026, critics argue that the government’s record 35.3 trillion won R&D budget plan lacks dedicated cybersecurity categories, with security funding either embedded within other sectors or missing entirely.
The fragility of critical government infrastructure was demonstrated in September when a battery fire at the National Information Resources Service in Daejeon shut down 647 government systems – nearly one-third of all national information systems. The National Intelligence Service raised the cyber threat level as a result, citing fears hackers could exploit potential security gaps during recovery work ahead of the APEC leaders meeting.
These vulnerabilities may represent only the visible portion of a far more serious compromise. Evidence in the Phrack data dump seen by The Diplomat suggests the penetration likely extended to highly sensitive materials related to North Korea and intelligence gathering operations. Given that the obtained data pertains to only one workstation, the discovery potentially reveals a much wider breach, raising further questions about attribution, potential false flag operations, and the purpose of gaining such information.
When specifically questioned about access to such materials, the Ministry of Unification provided vague responses, stating it was “currently investigating with related agencies” without elaborating which ones or the scope of the potential compromise.
As investigations continue, the question of attribution remains complex, but the scale of compromise across both public and private sectors is becoming clear, representing a strategic failure with implications for national security and public confidence in critical infrastructure.
“Hopefully researchers will take a closer look at the dumps and better understand how these APTs harass citizens,” Saber said. “The world would be a better place without them.”