An unidentified hacker breached the government's administrative network, the "Onnara System," and government ministry data was leaked for nearly three years, it has been confirmed.
The National Intelligence Service said on the 17th that it "obtained advance intelligence in Jul. on hacking in the public and private sectors, including the Onnara System, and, in joint precise analysis with related agencies such as the Ministry of the Interior and Safety, confirmed the hacking and actively moved to respond to prevent further damage," adding, "The hacker appears to have secured public officials' administrative work certificates (GPKI) and passwords through various channels, and after closely analyzing the authentication system, disguised as a legitimate user to access the administrative network."
It also said, "Afterward, using certificates (six) and domestic and overseas IPs (six), from Sept. 2022 to Jul. this year, the hacker passed through the remote access system (G-VPN) used by the Ministry of the Interior and Safety for telecommuting, accessed the Onnara System, and viewed data."
The U.S. security magazine "Phrack" in Aug. carried a report stating it had detected indications that Korean government agencies, mobile carriers, and private corporations were hacked.
In the course of its response, the National Intelligence Service additionally confirmed access to dedicated systems that some ministries operate on their own. The National Intelligence Service explained, "The inspection found that identity verification and other authentication mechanisms were inadequate in the government remote access system, the authentication logic of the Onnara System was exposed, enabling access to multiple agencies, and access control to each ministry's dedicated servers was insufficient, which turned out to be the cause of the incident."
Accordingly, the National Intelligence Service implemented emergency security measures to block the hacker's access, including disseminating and blocking the six IP addresses exploited by the hacker across all national and public institutions.
In addition, it applied second-factor authentication such as ARS when connecting to the government remote access system, changed the Onnara System access authentication logic, revoked administrative work certificates (GPKI) exploited in the hacking, required password changes for email accounts of public officials suspected of accessing phishing sites, strengthened access control to each ministry's servers, and fixed source code vulnerabilities.
Earlier, Phrack pointed to the North Korean Reconnaissance General Bureau–affiliated hacker group Kimsuky as being behind the hacking.
The National Intelligence Service said, "We are conducting a comprehensive analysis of the past incident history of the six hacker-abused IP addresses identified in this hacking, cases of GPKI certificate theft, and similarities in attack methods and targets, but so far there is insufficient technical evidence to definitively identify the actor behind the hacking."
However, it added, "Records that the hacker translated Korean into Chinese and indications of an attempted hack in Taiwan have been identified, but the National Intelligence Service is keeping all possibilities open and is working with overseas intelligence cooperation agencies and leading domestic and international security firms to track the actor behind the attack."
The National Intelligence Service said, "We are identifying the specific content and scope of the materials the hacker viewed in government administrative networks such as the Onnara System, and once the investigation is concluded, we plan to report the results to the National Assembly," adding, "Together with related agencies such as the Ministry of the Interior and Safety, we will also prepare security enhancement measures, including strengthening authentication systems and expanding the adoption of information security products."
It also said that with the current security control systems it is difficult to detect signs of hacking, and it plans to advance detection systems to monitor blind spots.
Kim Chang-seop, the third deputy director of the National Intelligence Service, said, "Because government administrative networks such as the Onnara System are the foundation of people's daily lives and administrative services, we plan to quickly conclude the ongoing investigation and prepare and implement pan-government follow-up measures to prevent a recurrence."