Skip to main content

Firms in South Korea are likely to continue to face a very high level of cyber threat exposure in the coming months.

This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 13 February 2024.

  • The threat stems mainly from North Korea, which will very probably pursue disruptive operations amid worsening relations with Seoul
  • We assess the general elections in South Korea in April to be a key target for hostile cyber actors

Organisations in South Korea will probably continue to face a very high level of exposure to cyber threats in the coming months. This is due to an elevated cyber threat amid recent heightened tensions with North Korea; we assess that Pyongyang is very likely to seek to disrupt critical infrastructure in the South this year, particularly around the general election in April. In addition, China state-backed cyber groups also appear highly intent on carrying out cyberespionage campaigns there this year, particularly against private firms.

Elevated threat from North Korea

North Korea will be particularly motivated to pursue hostile cyber operations against South Korea in the coming months. Military tensions on the peninsula are at their highest in years. This follows a series of escalatory steps by Pyongyang over the past year. Most recently, the North launched over 200 rounds of artillery near a disputed maritime border region in January. As a result, we now assess that a weeks-long military crisis is highly likely this year.

Amid worsening relations, North Korea very probably views offensive cyber operations against South Korea as a way to demonstrate its strength. In our analysis, these would be aimed at undermining the public trust in the South Korean government, especially by disrupting public services. Pyongyang already frequently targets both public and private organisations there. The South’s national intelligence agency said in January that ‘cyberattacks against the public sector’ increased by 36% in 2023 compared to 2022 with 80% of such operations originating from North Korea.

North Korea a capable offensive actor

North Korea can mount both disruptive and destructive cyber operations. The US government said the North was behind the 2017 WannaCry ransomware attacks, which disrupted the operations of commercial organisations globally. And North Korean cyber groups almost certainly have a foothold in the networks of South Korean entities, based on prior campaigns there. In 2023, South Korean police said that ‘North Korean hacking organisations’ were responsible for a hack-and-leak campaign against a hospital in Seoul in 2021.

Any offensive operations by the North this year would probably be primarily aimed at disrupting critical national infrastructure. This includes targets such as banking and finance, telecommunications and energy sectors. There is an already established pattern of such operations by the North. For instance, a North Korea-linked malware attack in 2013 paralysed the systems of major media and bank firms and wiped their files. Some banking and finance services were unable to process payments.

North Korea is also likely to be intent on carrying out cyber operations for financial theft this year. That would include against entities in South Korea, as part of its broader global cyber strategy to finance its weapons programs. This would most likely be through ransomware operations as well as cryptocurrency and fiat (other currency) theft. North Korea reportedly targeted cryptocurrency employees in the South in 2022 with phishing emails. And it has targeted finance and cryptocurrency firms globally in recent years, reportedly stealing $1.7 billion of funds in 2022.

General elections in April a priority

General elections in South Korea due on 10 April are likely to be a key target for cyber operations by North Korean actors. In our analysis, North Korea would seek to undermine public confidence in the election and discredit the South Korean government. This would be through DDoS attacks on election websites or attempts to disrupt related infrastructure. In a sign that the South Korean authorities are concerned about this, in December 2023, the National Intelligence Service advised of a ‘high possibility’ that North Korea ‘will carry out unexpected military and cyber provocations’ during the election period.

Persistent Chinese threat

Chinese state-backed groups will also probably carry out cyberespionage campaigns in South Korea this year. South Korea’s intelligence agency said that 5% of cyber operations in 2023 were from China-based groups. It characterised such operations by ‘slow and stealthy infiltration’ of entities, seemingly for espionage purposes. Based on prior campaigns, Beijing would probably target entities in government, tech, telecoms and defence as part of its longstanding goals to achieve technological superiority. In August, Seoul authorities said they identified malware in Chinese-made hardware used by government agencies.

China is also highly likely to pursue disinformation campaigns, especially in the run-up to the election. This would be to spread narratives that paint China in a favourable light and to promote its preferred candidates. Various academic studies in recent years have identified Chinese state-backed actors behind such campaigns in countries globally. And the South Korean government said in November 2023 that Chinese PR firms were behind 38 news sites ‘disguised as domestic media companies’ that spread pro-Beijing and anti-US narratives.

Image: South Korea’s President Yoon Suk Yeol speaks during the UK – Korea Business Forum, at Mansion House, in central London on 22 November 2023, on the second day of a three-day state visit of the South Korean President to the UK. Photo by Daniel Leal/AFP via Getty Images.