Seoul investigates China link after GPKI hack

Hackers stole Government Public Key Infrastructure certificates, the digital keys that allow access to government networks, and used them to breach the system, officials said. The breach is the first confirmed attack on the core infrastructure handling electronic approvals and reporting across public institutions. Authorities are also probing a possible China link. Because the intrusion began in September 2022 and remained undetected for nearly three years, critics say e-government security has been severely compromised.

On Oct. 17, the Ministry of the Interior and Safety and the National Intelligence Service said an unidentified hacking group stole GPKI certificates from about 650 civil servants and passwords from 12 others. Some of the credentials were used to access the government’s Onnara electronic approval system and view files. Officials said this is the first official confirmation of GPKI misuse.

The National Intelligence Service detected the hack in July and blocked the malicious internet addresses. After foreign media reported the incident in August, the government waited nearly two months to acknowledge the breach, drawing criticism for its delayed response.

The U.S. nonprofit DDoSecrets identified Kimsuky, a cyber unit under North Korea’s Reconnaissance General Bureau, as the likely perpetrator. The NIS said it has not ruled out a Chinese origin. Investigators found evidence the hackers translated Korean text into Chinese and attempted to access a Taiwanese government network, and the agency is pursuing all leads.

The Interior Ministry said the leak likely began when personal computers used by remote workers were infected with malware, allowing GPKI certificates to be stolen. To prevent a recurrence, the government plans to switch to a biometric-based, multifactor authentication system that will include mobile public employee IDs.


임재혁기자 heok@donga.com