[Editor's note] Recently, SK Telecom, YES24, and the National Research Foundation of Korea (NRF) have fallen victim to cyber attacks from hackers, resulting in personal information leaks and service disruptions. In the era of artificial intelligence (AI), cyber threats are intensifying and attack methods are becoming more sophisticated, while the response capabilities of our government and corporations are inadequate. This article examines the issues within the cybersecurity framework through domestic and international cases and seeks solutions.
The pro-Israel hacking group 'Predatory Sparrow' attacked the Iranian cryptocurrency exchange Novitex on the 18th of this month (local time), stealing assets worth at least $90 million (about 123.6 billion won). Iran has completely blocked internet access due to concerns over additional attacks. Previously, Predatory Sparrow hacked the Iranian state-owned Sepah Bank, destroying some data. In response to this preemptive strike, Iran has ramped up cyber attacks on Israel's energy companies, public alert systems, and other critical infrastructure by 700%.
In February of this year, S, a partner company of the domestic conglomerate L Group, fell victim to a cyber attack by the ransomware group Lynx, resulting in the leakage of internal documents. S supplies components related to home appliances, secondary batteries, and displays. Lynx stole over 12 gigabytes (GB) of data, and the leaked documents included estimates, design blueprints, component test results, non-disclosure agreements, personal information, and more. An industry insider noted, “Hackers are increasingly using 'supply chain attacks' by bypassing relatively poorly secured partner companies of large corporations.”
◇ Increase in cyber attacks targeting national and corporate infrastructure
Despite the rising cyber threats targeting national infrastructure due to the spread of artificial intelligence (AI), there are criticisms that Korea has not established a systematic security framework for responses from both the public and private sectors. Public institutions are vulnerable due to outdated computer systems, and private corporations regard information protection investments as an expense, outsourcing more than one-third of security personnel. In the last 1 to 2 years, national administrative networks, courts, and other organizations have suffered hacking incidents, resulting in the paralysis of public systems and the leakage of internal materials, yet it remains unclear who is responsible. The industry suspects North Korean and Chinese hackers, but there has been no official announcement from the government.
The hacking incident involving SK Telecom that shook the nation in April is estimated to have leaked 9.82 gigabytes (GB) of subscriber identification module (USIM) information, which corresponds to 26,957,749 cases based on subscriber identification keys (IMSI). It has been revealed that the malicious code that hid on the server had been lying in wait for nearly 3 years.
This month, the online bookstore YES24, which has over 20 million members, was hit by a ransomware attack that paralyzed its computer system. The website and app were down for four days, halting book orders, browsing, and concert ticket reservations. CJ OliveNetworks, which manages CJ Group's IT infrastructure, had its certificate file leaked due to hacking. The digital signature of CJ OliveNetworks was discovered in malware from North Korea, leading to suspicions that the North Korean hacking group 'Kim Suki' was involved in this attack.
Despite the frequent occurrence of large-scale hacking incidents, both the government and corporations are responding with a 'fix the barn after losing the cow' approach. Experts argue that because security incidents are directly linked to national security, it is urgent to establish a systemic foundation to prevent recurrence.
Lim Jong-in, a former special advisor on cybersecurity at the presidential office and an emeritus professor at Korea University, said, “Considering the cyber warfare between Israel and Iran, as well as the hacking incidents involving American telecommunication companies, cybersecurity is not just a matter of security but a national security issue.” He added, “Hackers are embedding malicious codes in essential state infrastructure like power grids, communication networks, ports, and solar inverters, and if the state's infrastructure collapses due to successive attacks, chaos may ensue.”
◇ Insufficient perception of 'Security = Expense' leads to inadequate corporate investment... government also reduces budget
According to the Korea Internet & Security Agency (KISA), the number of reported cyber intrusion incidents in Korea increased by 48%, from 1,277 in 2023 to 1,887 last year. The actual scale of the damage is expected to be even larger, according to the industry. Most corporations and government departments, excluding telecommunications companies, are not obligated to report intrusion incidents resulting from hacking. According to the information protection disclosure system, only corporations with sales exceeding 300 billion won are subject to disclosure obligations.
Professor Kim Hui-kang of Korea University noted, “As cyber attacks continue to evolve with the aid of generative AI, corporations are not investing in security, leading to an increase in incidents.”
Although cyber attacks are on the rise, the average investment in information protection among 732 companies analyzed by KISA last year was only 2.9 billion won. Since the mandatory disclosure of information protection investment was implemented in 2022, only 10 companies, including Samsung Electronics, Naver, LG Electronics, and Coupang, have invested over 100 billion won in information protection over the past three years. The proportion of information protection investment in the IT budget of domestic corporations averaged 6.1%. According to a cybersecurity status report published last year by the global insurance company Hiscox, American companies spend an average of 11% of their annual IT budget on cybersecurity.
Insufficient investments in security are also impacting national competitiveness. The Swiss International Institute for Management Development (IMD) recently rated Korea's national competitiveness at 27th, a drop of seven places compared to last year, showing low scores in cybersecurity capability among the major evaluation criteria. In the cybersecurity sector, Korea's competitiveness fell from 20th last year to 40th this year.
Despite this situation, government security investments are sidelined. This year, the government's budget for research and development (R&D) on cyber threats is set at 104.9 billion won, an 8% decrease from the previous year. An industry insider stated, “The overall budget is being cut to achieve sound fiscal management, affecting the security industry as well.”
◇ Only country among major nations without security control tower
In Korea, even when major hacking incidents occur, there is no control tower to command the response effectively, leading to criticisms of slow and ineffective actions, which exacerbate the damage. Korea is the only major country without a control tower overseeing national security and a cybersecurity law. The United States has the Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom has the National Cyber Security Center (NCSC), Australia has the Cyber Security Centre (ACSC), Germany has the Federal Office for Information Security (BSI), and France has the National Cybersecurity Agency (ANSSI) as their control towers.
Professor Lim pointed out, “There should be a control tower to oversee and direct security-related issues; however, currently, when incidents occur, responses are handled by the Ministry of Science and ICT, the police, the Ministry of National Defense, and others depending on the circumstances, with KISA and the Personal Information Protection Commission also involved separately, which reduces efficiency.”
YES24, which suffered a hacking incident this month, faced controversy for not cooperating with KISA's technical support. While KISA's ransomware analysts visited the YES24 headquarters to assess the situation, YES24 resisted by insisting on conducting its own investigation, blocking their access. Previously, YES24 had also not participated in KISA’s simulated hacking exercises and, although it can refuse government security status investigations or technical support, there is no punitive or compulsory means to enforce compliance.
The Cybersecurity Basic Act, established to strengthen the national-level cybersecurity framework, has failed to pass the National Assembly since 2006. This bill aims to clarify the authority and responsibilities for responding to cyber attacks and to establish an integrated public-private cybersecurity response system. Discussions have stalled amid controversies over potential violations of human rights due to national agencies being able to monitor and surveil civilians.
Kim Jin-soo, vice president of the Korea Information Security Industry Association (Trinity Soft representative), stated, “With increasing state-sponsored cyber attacks, cybersecurity must now be approached from a national security perspective,” adding, “We need to establish a defense system against increasingly sophisticated attacks through aggressive research and development (R&D) investment and formulate a cybersecurity strategy encompassing individuals, corporations, and the nation.”