Chinese, Russian hacking groups spy on South Korea amid U.S.-North Korea peace talks

Ahead of the Trump-Kim summit in Singapore next week, a U.S. cybersecurity researcher says that Russian and Chinese hackers have scaled up activity against South Korean targets.
Photo via White House -- North Korean leader Kim Jong-Un meets with US Secretary of State Mike Pomep

Ahead of the Trump-Kim summit in Singapore next week, U.S. cybersecurity researchers say that Russian and Chinese hackers are scaling up cyber-espionage operations against South Korea.

Cybersecurity giant FireEye found that operations targeting South Korean government ministries and financial institutions were carried out as recently as last month. The firm uncovered multiple incidents of hacking attempts linked to Russian and Chinese advanced persistent threat (APT) groups.

The revelations underscore the complicated threat landscape facing Seoul as leaders of the U.S. and North Korea prepare to discuss that country’s nuclear programs. It is still unclear who exactly was targeted and whether the attackers succeeded in breaching important political organizations, FireEye researchers said.

South Korea, a key U.S. ally, must play a delicate balancing act. It has vowed to pursue a diplomatic breakthrough and angled for a better relationship with its northern neighbor, but all bets are off in cyberspace. As CyberScoop recently reported, despite Pyongyang and Seoul vowing to pacify the Korean Peninsula, the latter still faces a steady barrage of attacks from North Korea’s highly capable hacker army.


South Korea has been a frequent target of cyber-espionage, said Ben Read, a senior manager at FireEye, in a statement to CyberScoop. Though the most persistent and formidable threat stems from North Korea, he said, South Korea must also grapple with Chinese and Russian advanced persistent threats (APTs).

“With the heightened attention to inter-Korean relations in the lead-up to a potential Trump-Kim meeting, we expect this targeting to continue at an increased pace,” Read said.

The Wall Street Journal first reported the news about the Russian and Chinese activity.

FireEye identified two groups responsible: TempTick, which embedded malware in Word documents that it distributed in early May, and Turla, which staged a JavaScript-based attack in April.

TempTick, a cyber-espionage team active since at least 2009, has trained its sights on public and private actors across the Asia-Pacific region, particularly in Japan and South Korea. It has gone after targets in a range of sectors, including defense, heavy industry, aerospace, technology, banking, healthcare, automotive and media.


Since TempTick has previously targeted Chinese dissidents, it is widely assumed to be working in support of Beijing.

Turla, an advanced, stealthy cyber-espionage group, is believed to be working at Moscow’s beck and call. The group targets governments worldwide in search of information that can enhance and assist Russian decision-making on a global stage. Turla is known to have been active since 2006, but likely longer.

In March, the Wall Street Journal reported that FireEye researchers uncovered attacks by Tonto, a Chinese group that distributed malware files in a falsified South Korean coast guard job posting. Tonto has been linked to attacks on targets associated with the U.S. THAAD missile system. The deployment of THAAD on the Korean Peninsula has angered China.

For their part, the Chinese and Russian governments have historically denied any involvement in hacking operations.

Some of the malware FireEye identified hasn’t surfaced in years, Read told the Journal. “It’s not like we saw these guys in December, November or October. We don’t see these things every month … This suggests a ramp-up.”

Latest Podcasts