The Asia-Pacific region, including South Korea, has a rate of exploitation of vulnerabilities in initial infection pathways that is twice the global average. This is why a comprehensive improvement in security visibility and response capabilities is needed.
Shim Yeong-seop, head of Google Cloud Mandiant Consulting for South Korea and Japan, noted on the 27th at a press briefing for 'Mandiant M-Trend 2025' held at Seoul Square in Jung-gu, Seoul, that the recent trends in security threats are concerning. 'M-Trend' is an annual cyber security report published by the Mandiant consulting team. The 'M-Trend 2025' report is based on the results of investigations into targeted attack activities from last year and analyzes data collected from 450,000 hours of incident response activities worldwide.
According to the report, the rate of exploitation of vulnerabilities in initial infection pathways in the Asia-Pacific and Japan (JAPAC) region, including South Korea, was found to be 64%. This was followed by credential theft (14%) through which stolen credentials were used to infiltrate systems and website compromises (7%). The initial infection pathways globally also showed that vulnerability exploitation was the most common at 33%. Credential theft (16%) ranked second in this survey for the first time, followed by email phishing (14%), website compromises (9%), and transfer incidents (8%).
The security devices located at network perimeters (edges) were identified as the most frequently exploited vulnerabilities. Many of these were based on zero-day vulnerabilities for which patches were not even provided. Mandiant reported that it has tracked a total of over 4,500 attack groups and identified 737 new groups last year. In particular, as extensive threat actors target edge devices, four new Advanced Persistent Threat (APT) groups were identified last year, which operate based in China, Russia, and Iran.
Shim noted, "While security governance is strict in the U.S. and Europe, Asia is relatively less so, which is why vulnerability attacks occur frequently in the Asia-Pacific region," adding, "Investments in security personnel and infrastructure are more necessary." He further stated, "Sophisticated attacks targeting edge devices make rapid detection difficult," noting, "There is an urgent need to establish defensive strategies against unknown threats."
For global detection pathways, 57% were through external agencies. Of these, 43% were notified by law enforcement or cyber security firms, and 14% were informed in the form of ransom notes demanding payment from the attackers. Notably, in ransomware attacks, 49% of the time, attackers notified victims of the breach. The proportion of notification from external agencies for South Korea, Japan, and the Asia-Pacific region was higher than the global average, with 69% receiving notifications from external agencies, and 12% were notified by the attackers. This highlights the need to strengthen internal detection capabilities.
Among the reasons for cyber attacks, monetary motivations accounted for the highest at 55%, followed by threat groups engaging in espionage activities at 8%. The most targeted industry was financial services, accounting for 17.4%, followed by business and professional services (11.1%), advanced technology (10.6%), government (9.5%), and healthcare (9.3%).
Recently, it has been reported that North Korea is dispatching its citizens as remote IT contract workers to secure foreign currency revenue and regime funds. North Korean IT personnel have disguised themselves as employees of U.S. and European tech corporations by using stolen or forged identities, false backgrounds, and documents, and are hiding their actual locations through virtual private networks (VPNs) and local accomplices.
Shim emphasized, "Thorough background checks on employees, including biometric verification, should be implemented, and their education and work history should be independently corroborated," adding, "Requiring video interviews can strengthen the interview process, and those hesitant to comply should be viewed with caution."
Amid ongoing confusion over the hacking incident involving SK Telecom, there are analyses suggesting that for global telecom companies targeted by cyber attacks, the motives have expanded from personal data theft to strategic eavesdropping and state-sponsored espionage activities.
Shim stated, "In general, when telecoms are hacked, the primary focus should be on state-sponsored espionage activities rather than personal data," noting, "In such cases, support for responses at the national level is necessary." He added, "In South Korea, there is a tendency for security personnel to be focused on offensive measures, and it is necessary to strengthen personnel for defensive measures."