South Korea is facing one of its biggest cybersecurity shocks in years. A pair of white hat hackers, known by their pseudonyms Saber and cyb0rg, discovered a massive breach that may have affected key parts of the South Korean government. What they found was alarming. Sensitive systems, emails, and even secret communications between ministries appeared to have been compromised.
But the biggest question now is: who did it? Many signs point toward China. Yet some clues still suggest North Korea’s hand. The situation has become one of the most confusing and serious cyber mysteries in recent memory.
The Massive Breach No One Saw Coming
The discovery began when Saber and cyb0rg stumbled upon a compromised computer they linked to Kimsuky, North Korea’s state-backed hacking group. They were shocked to find that this single workstation seemed to be part of a much larger operation.
Inside the system, they uncovered data from the government’s main network known as Onnara. This system manages official documents, communication between ministries, and sensitive information. The hackers found tools that allowed the attackers to move through and control Onnara for long periods without being noticed.
South Korea reels from wave of cyberattacks — nearly 1 million personal records stolen in 2025
The data leak also showed that hackers had gained access to email accounts from key offices, including the Defense Counterintelligence Command. Stolen usernames, passwords, and digital keys used to secure government messages were discovered, revealing serious security failures.
South Korea’s telecom companies LG Uplus and KT were also hit. The leaked data suggested their networks had been breached, potentially exposing communication data of millions. Experts believe the attack was planned carefully, using phishing, malware, and brute-force methods to target agencies like the Ministry of Foreign Affairs and the Ministry of Unification.
The Mystery Behind the Attackers
When the story first surfaced through The Diplomat, many assumed the attack came from North Korea, which has a long record of targeting its southern neighbor. But after studying the evidence, researchers from Korea University’s Graduate School of Information Security and cybersecurity firms like S2W found inconsistencies with known North Korean tactics.
Logs from the hacked workstation revealed that the hacker used simplified Chinese, visited Chinese-language websites, and worked on a schedule that matched Chinese holidays. Analysts found Chinese proxy tools, including WgetCloud, suggesting the operation was run from inside China.
AI is making phishing, ransomware, and cybercrime more dangerous for accountants
Cyber expert Michael “Barni” Barnhart from DTEX said the malware and methods were unlike those used by North Korea’s Kimsuky group, and instead pointed toward “a lower-tier China-based actor.” Still, opinions differ.
Some experts believe Chinese hackers acted on behalf of their own government. Others suggest possible cooperation between China and North Korea, since North Korean operations have previously been traced to Chinese territory. A third theory claims North Korea may have outsourced the job to Chinese hackers. Another proposes a false flag operation — that China deliberately left evidence to make it seem like North Korea was responsible.
Seoul’s Silent Response and Rising Concerns
Despite the scale of the breach, South Korea’s government has said little. Presidential spokesperson Kang Yu-jung stated there was “no accurate information,” while the Ministry of National Defense (MND) and Ministry of Science and ICT (MSIT) avoided detailed comments. The Ministry of Unification confirmed it had strengthened its systems after the incident.
Hacker gains access to FEMA and Border Patrol systems in multi-week breach
Experts like Professor Kim Seung-joo from Korea University criticized the lack of a centralized cybersecurity “control tower.” He said that foreign hackers seem to understand South Korea’s networks better than its own authorities.
Officials may be cautious due to diplomatic sensitivities. Blaming China could complicate relations, especially before the upcoming APEC leaders’ meeting where both nations are expected to attend.
Meanwhile, cyberattacks against South Korea are rising fast. In the first half of this year, thousands of intrusion attempts were reported on military and government networks. A recent fire at the National Information Resources Service in Daejeon disabled hundreds of systems, fueling fears that hackers could exploit the situation.
Critics say cybersecurity spending remains scattered across ministries. Despite ongoing upgrades, the discovery of this large-scale breach shows how deeply hackers penetrated South Korea’s networks. It leaves citizens wondering how safe their government’s digital backbone really is.
