The government said it has confirmed signs that hackers accessed the Onnara System, the civil service work system, and the Government Public Key Infrastructure (GPKI), a public servant certificate. Earlier, a U.S. hacking-related outlet reported in August that there were traces of hacking at Korea's central ministries, mobile carriers, and private corporations, which the government has belatedly acknowledged.
On the 17th, Deputy Minister Lee Yong-seok of the Ministry of the Interior and Safety's Digital Government Innovation Office held a briefing on "Response to hacking of the Government Work Management System (Onnara)" at the Government Complex Sejong and said, "Around mid-July this year, through the National Intelligence Service, we confirmed signs that the Onnara system, the government's work network, was accessed via the government remote work system (G-VPN) from an external internet PC."
Accordingly, the Deputy Minister said, "On Aug. 4, we strengthened security by requiring phone verification (ARS) in addition to Government Public Key Infrastructure authentication when connecting to G-VPN," adding, "For the Onnara system, we completed measures to prevent reuse of Onnara system logins and applied them to central ministries and local governments on Jul. 28."
Regarding the Government Public Key Infrastructure (GPKI) certificates where hacking traces were found along with the Onnara system, the official said, "We received the relevant certificate information from the National Intelligence Service and checked whether the certificates were valid," adding, "Most certificates had expired, and for some valid certificates, we completed revocation measures on Aug. 13."
On the cause of the hacking, the Deputy Minister noted, "It is presumed that certificate information was leaked from an external internet PC due to user carelessness," and added, "We have notified all central ministries and local governments to ban certificate sharing and strengthen management."
To counter the security threat to Government Public Key Infrastructure certificates, which are at risk of theft and duplication, the Ministry of the Interior and Safety decided to replace the certificate-based authentication system used by public servants at administrative and public institutions to access internal administrative systems with biometric-based multifactor authentication methods, such as the mobile public servant ID. It also plans to expand the introduction of safe authentication methods, such as mobile IDs that use biometric authentication, to the government's public-facing service authentication system.
Regarding damage from this hacking, the Deputy Minister said, "It is hard to say there was no damage since abnormal access was confirmed," but added, "The National Intelligence Service is currently investigating and will make an announcement later."
He continued, "We are closely monitoring recent trends in cyber threats and checking for phishing, malware, and security vulnerabilities, which are major causes of breaches," adding, "We will do our best to prevent incidents so that the same kind of incident does not occur."
Earlier in August, Phrack Magazine, a U.S. hacking-related outlet, reported that there were traces of hacking at Korea's central ministries, private corporations, and mobile carriers, based on data obtained after the U.S. nonprofit DDoSecrets hacked a server belonging to an attacker named "KIM." KIM was presumed to be Kimsuky, a North Korean hacking group. Places where hacking traces were found included central administrative agencies such as the Ministry of the Interior and Safety and the Ministry of Foreign Affairs, the military, the prosecution, and Daum, Kakao, Naver, KT, and LG Uplus. Among these, the Ministry of the Interior and Safety showed hacking traces in Onnara and GPKI.