Multi-year breach exposes vulnerabilities in digital authentication systems and triggers urgent security overhaul
South Korea has intensified its cybersecurity efforts after detecting signs of a hacking attempt targeting its central administrative network. The Ministry of the Interior and Safety said that in mid-July, the National Intelligence Service (NIS) identified abnormal access to the government’s Onnara system through the Government Virtual Private Network (G-VPN) — a secure channel used by civil servants for remote work.
The Onnara platform plays a vital role in managing official documents and coordinating administrative workflows across ministries and local governments. A compromise of this system could disrupt critical government operations or expose confidential policy data.
Expanding Threat Surface
According to Yonhap News Agency, the breach was not isolated. Signs of hacking were also found in the foreign ministry, military, prosecution service, and leading technology firms such as Kakao Corp., Naver Corp., KT Corp., and LG Uplus Corp.
Cybersecurity publication Phrack reported earlier this year that these coordinated attacks may be the work of Kimsuky, a North Korean state-backed hacking group known for espionage operations.
The incident highlights South Korea’s growing exposure to cyber threats that target both government institutions and private corporations, often with geopolitical motivations.
Weak Points in Authentication Systems
Investigations revealed that over 650 digital certificates, known as Government Public Key Infrastructure (GPKI) credentials, were compromised. These certificates are used by officials to authenticate their identities within secure government networks.
- Most of the compromised certificates had expired, but three valid ones were revoked in August as a precaution.
- The breach is believed to have occurred due to user carelessness, with malware infecting personal computers used for remote work.
- Hackers used stolen credentials to access Onnara and other systems as legitimate users.
Between September 2022 and July 2025, hackers also managed to steal the passwords of at least 12 officials, according to findings from the NIS and the interior ministry.
Long-Standing Vulnerabilities and Late Detection
Perhaps the most alarming aspect of the breach is that it remained undetected for nearly three years. During this time, the system recorded multiple failed login attempts that should have triggered alerts. However, the monitoring mechanism designed to detect anomalies malfunctioned, allowing hackers prolonged access.
The government’s delayed acknowledgment — nearly two months after the breach was confirmed — has sparked criticism over transparency and raised questions about accountability within its IT oversight structure.
Government’s Response: Strengthening Digital Security
In response, the interior ministry has begun implementing new safeguards, including:
- Stricter login authentication for all officials accessing G-VPN for remote work.
- Plans to phase out the GPKI system in favor of biometric verification using facial recognition and fingerprint scanning.
- Mobile-based identification for secure access to administrative systems such as Onnara.
Officials say these steps are aimed at reducing reliance on passwords and certificates, which can be stolen or misused if not handled properly.
Broader Implications for Cybersecurity Policy
The breach underscores persistent weaknesses in South Korea’s cybersecurity readiness — particularly around endpoint protection and employee cyber hygiene. Experts warn that the incident reflects broader structural issues:
- Overreliance on static credentials like digital certificates.
- Limited real-time threat detection capabilities.
- Insufficient training for remote workers handling sensitive data.
Cybersecurity specialists are urging the government to conduct a comprehensive audit of all administrative systems to determine if confidential data — such as policy drafts, approval records, or citizens’ information — was accessed or exfiltrated. Officials are also exploring the use of ethical hackers to identify vulnerabilities that internal teams might overlook.
Heightened Security Ahead of APEC Summit
The timing of the breach has added urgency as South Korea prepares to host the Asia-Pacific Economic Cooperation (APEC) Summit later this month in Gyeongju. The event will draw leaders from 21 member economies, including U.S. President Donald Trump and Chinese President Xi Jinping.
In preparation, authorities have:
- Mobilized over 18,000 personnel, including police, SWAT teams, and coast guard units.
- Deployed anti-drone jammers, armored vehicles, and helicopters for surveillance.
- Raised the national terrorism-alert level to “Caution” nationwide and “Alert” in Gyeongju and neighboring provinces.
Cybersecurity will remain a top priority throughout the summit, as officials aim to prevent digital attacks that could coincide with physical security threats.
A Wake-Up Call for South Korea’s Digital Governance
This incident serves as a stark reminder that even advanced digital infrastructures can be compromised when human error and outdated systems intersect. While South Korea’s swift response and new biometric initiatives mark progress, the prolonged undetected breach reveals deeper gaps in the nation’s cybersecurity culture and monitoring capabilities.
For a country positioning itself as a global tech leader, maintaining digital trust — especially within government systems — will be critical. The ongoing investigation and reforms will likely shape the next phase of South Korea’s cyber resilience strategy, setting a precedent for how modern states respond to complex, long-term intrusions.
