Security Crisis: South Korea Confirms Major Hack of Government Document System
The South Korean government has officially confirmed a cyberattack on the nation’s key infrastructure—two months after the incident occurred. According to the report, attackers gained access to the Onnara document management system, used by public officials, as well as to GPKI digital certificates, which authenticate users in administrative procedures. After weeks of silence, authorities have admitted that the breach represents a serious compromise in the country’s security chain and have launched an investigation to determine the source of the leak and assess the potential damage.
The Ministry of the Interior and Safety stated that traces of unauthorized access were first detected in mid-July by the National Intelligence Service (NIS). The intrusion was carried out through the government’s G-VPN network, allowing attackers to infiltrate internal systems. Although officials had previously declined to confirm information published in July by Phrack Magazine, the government has now acknowledged that the attack affected multiple ministries and several major technology firms, including KT, LG U+, Daum, Kakao, and Naver.
A ministry representative reported that no confirmed leaks of official documents have yet been identified, though such a possibility cannot be ruled out and remains under investigation. To mitigate the impact and prevent future incidents, the government has tightened its security protocols. As of August 4, access to G-VPN now requires not only a digital signature but also phone-based verification. Additionally, on July 28, a system was implemented to block the reuse of Onnara logins across all central and local government agencies.
Regarding the GPKI digital certificates, the ministry clarified that most had already expired by the time of the incident, while the remaining valid ones were revoked on August 13. Authorities identified the primary cause of the attack as negligence in data handling, which allowed sensitive information to leak beyond government networks. All agencies have since been instructed to cease shared use of certificates and to review their data storage procedures.
Although suspicion initially fell on the North Korean cyber-espionage group Kimsuky, which specializes in attacks against diplomatic and defense institutions, no direct evidence of its involvement has been found. Nevertheless, officials have not ruled out the possibility that a state-sponsored actor orchestrated the breach.
To reduce future risks, the government plans to phase out the GPKI system in favor of multi-factor biometric authentication, including the use of mobile ID credentials for public officials. Similar technologies are also being considered for large-scale public services accessible to all citizens. Government representatives pledged to respond swiftly to any further intelligence findings and to take decisive measures to prevent such incidents from recurring.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
