Frankly, this GPKI breach incident is not just a single “event.” It is a truly pivotal moment that laid bare, to its very core, how fundamentally and structurally vulnerable our national digital infrastructure was.
If you dissect this attack, the key failure points become clear. We relied far too heavily on an archaic ‘perimeter defense,’ the authentication systems were weak, and—critically—the internal environment was a “black box” where no one knew who was moving around.
So this report is not just a recounting of “we were hit.” It proposes the four core pillars: a full transition to a **‘Zero Trust Architecture’**, omnidirectional monitoring via XDR, adoption of authentication methods that block modern phishing like AiTM, and finally proactive defense based on threat intelligence. To restore broken digital trust and defend our cyber sovereignty, these are strategic tasks that must be pursued urgently.
Part 1: Exactly who and how did they break into our home?
This chapter will step through how the attack was carried out, who the attackers likely are, and why attributing responsibility is so complicated.
1.1 Threat actor profile: Kimsuky (APT43) and their operations
- Backer and mission: The culprit appears to be ‘Kimsuky’, also known as APT43. They are a nation-sponsored hacking group operating under the direction of North Korea’s Reconnaissance General Bureau (RGB). Their primary mission is to steal strategic intelligence for North Korea’s geopolitical and military objectives.
- Evolution of TTPs (tactics, techniques, procedures): Don’t think it’s just about HWP file attacks anymore. They’ve become very sophisticated, using MS Office documents, CHM, LNK, even ONE files… deploying all kinds of tools for elaborate spear-phishing. They constantly adapt: when we defend, they find another path.
- Dual mission (espionage + monetization): This is a real headache. APT43’s notable trait is that they also engage in cybercrime like stealing cryptocurrency to fund operations. If another group (APT38) exists to bankroll the regime, these actors generate their own operational funds. Because they don’t rely solely on direct state funding, sanctions become less effective… they have created a self-sustaining, persistent operational model.
- Collaboration among North Korean cyber groups: According to Mandiant, they don’t operate alone. They share infrastructure and tools with other North Korean hacker groups. That implies coordinated, state-level strategy.
Kimsuky’s operational model is a terrifying hybrid of a state intelligence agency and an organized crime syndicate. The data shows their primary objective is state-sponsored espionage, but they also steal cryptocurrency to self-fund. Traditional state actors operate on budgets; criminal groups are self-sufficient. Combining the two creates a resilient and persistent operational cycle. They make money through cybercrime, which funds infrastructure incidents and espionage, and in the process they search for more profitable opportunities. That’s why they’re hard to stop. You can’t just sever a state’s funding; you must treat them as both a national security threat and a criminal enterprise and disrupt their revenue flows as well.
1.2 Reconstruction of the attack flow: how the gate was breached and the ‘digital master key’ stolen
Follow the attack in chronological order.
-
Initial access (breaching the digital main gate): The attackers exploited known vulnerabilities in the remote access VPN appliance “Ivanti Connect Secure.” VPNs, by nature, are exposed to the internet and therefore a “favorite” target for state-sponsored hackers. It appears they chained multiple vulnerabilities to gain initial access.
-
Establishing foothold (command and control): Once inside, they deployed the ‘Cobalt Strike’ framework. Originally a penetration-testing tool, it is widely abused by threat actors: using beacons to maintain persistent C2 channels, remotely control infected systems, and exfiltrate data. They effectively created their own base inside.
-
Privilege escalation and account compromise (AiTM phishing campaign): They needed official accounts. Here they used a sophisticated phishing technique called ***AiTM (Adversary-in-the-Middle)***. This is not just a fake site. They inserted a proxy between the user and the real login page to capture not only usernames and passwords but also MFA tokens and the resulting session cookies that are issued after MFA succeeds. With those, attackers perfectly impersonated officials and gained authenticated access.
Adversary-in-the-Middle (AiTM) -
Objective achieved (GPKI certificate exfiltration): With legitimate account privileges, the attackers freely navigated internal government networks. Their ultimate objective was the ‘Government Public Key Infrastructure (GPKI)’ system. The discovery of actual GPKI files such as
136백운규001_env.keyon attacker machines is definitive evidence that these digital certificates were stolen.
Government Public Key Infrastructure (GPKI) system -
Maintaining persistence and evading detection: Finally, they installed backdoors to ensure future access and hid deep in the operating system with kernel-level rootkits to avoid security tools.
1.3 The attribution dilemma: China’s shadow
Here an oddity appears. The tactics align with Kimsuky, but forensic analysis revealed notable anomalies.
- Geographic location: C2 servers or access points are in China.
- Language: The attacker used a tool that translated Korean documents into Chinese, and Chinese-language files were found on systems.
- Activity timing: The activity pattern (working hours, holidays) aligns more with Chinese business hours than North Korean ones.
What does this mean? Several hypotheses arise.
- Hypothesis 1 (via China): North Korean hackers may have been operating from locations in China (e.g., Dandong) where internet infrastructure is better and operational conditions are more convenient. This is the simplest explanation.
- Hypothesis 2 (false flag): Alternatively, a highly skilled Chinese hacking group may have deliberately mimicked Kimsuky’s TTPs to mislead attribution and shift blame to North Korea.
- Hypothesis 3 (collaboration or outsourcing): It could also be a joint operation between North Korean and Chinese intelligence agencies, or North Korea may have subcontracted Chinese hacking mercenaries. Cooperation among state-sponsored groups is increasingly common.
I believe this **‘strategic ambiguity in attribution’** is likely an intentional tactic, not just the difficulty of analysis. Hackers at this level are not careless about leaving traces. Leaving conflicting evidence is likely deliberate.
The effect of this ambiguity is clear: it delays and complicates the victim state’s response. Which country should South Korea diplomatically protest to? Who should be sanctioned? How should it coordinate with allies? The attacker weaponizes the attribution process itself—creating uncertainty, delaying response, and sowing discord between states.
Therefore, our defense strategy should not get bogged down in “who hit us” but should focus immediately on technical defenses and recovery regardless of the perpetrator—i.e., adopt an ‘attribution-agnostic’ resilience posture.
Part 2: Why were we helpless? (systemic failures and a crisis of digital trust)
Now shift focus from “what happened” to “why was it possible.” We identify the fundamental weaknesses that enabled the attack’s success.
2.1 Collapsed perimeter: the illusion of the ‘castle and moat’ defense model
- Single point of failure: Our entire security model was, metaphorically, a ‘Castle and Moat’ model. The idea was that if the strong perimeter (here, the VPN gateway) is secure, then the inside is safe. But once that gate was breached, everything collapsed. It proved that the perimeter was not a robust wall but merely a fragile screen.
- Implicit trust (the attackers’ greatest ally): Once inside, attackers operated in a largely ’trusted’ environment. Traditional security postures were not designed to scrutinize internal traffic as tightly as external traffic. This implicit assumption—“once inside, you are on our side”—was the attackers’ greatest ally, enabling them to move laterally toward the GPKI with minimal resistance. The notion that “the internal network is safe” is dangerously outdated.
2.2 Authentication gap: how modern phishing neutralizes legacy MFA
- The illusion of MFA security: Did you reassure yourself with “we use MFA, so we’re fine”? That was an illusion. This incident shows how little we understood modern phishing threats. SMS or app-based MFA can prevent simple credential theft, but they are helpless against real-time session-hijacking attacks like the AiTM described in section 1.2.
- Technical analysis of AiTM: The attackers’ phishing site acted as a proxy, transparently relaying victim credentials and MFA prompts to the real site. Once the victim completed authentication, the proxy intercepted the resulting ‘session cookie.’ It is the cookie—not the password—that is the ‘key’ proving an authenticated session. By stealing this, the attackers simply bypassed MFA.
- Government’s tacit admission of failure: The government’s late move to add ARS (automated telephone) verification is effectively an admission that existing MFA was insufficient. But frankly, this is a stopgap: more sophisticated attacks can automate even phone-based verification.
2.3 Darkness inside the walls: catastrophic lack of internal visibility and control
- Undetected lateral movement: Worse, attackers roamed from the initial entry point (VPN server) to the final target (GPKI system) without anyone noticing. This means internal network monitoring and segmentation were severely lacking. Traditional perimeter-focused tools have clear limits in monitoring east-west traffic inside the network.
- Need for EDR/XDR: Because there was no **EDR (Endpoint Detection and Response)** or XDR (Extended Detection and Response), the security team had no ’eyes’ to detect malicious processes (e.g., Cobalt Strike beacons) or anomalous internal network connections. It was like having a castle with a breached wall and no sentries inside.
2.4 Fundamental threat: systemic impact of a PKI compromise
- From espionage to systemic destruction: The theft of GPKI certificates is not mere data leakage. It’s akin to obtaining a ‘weapon’ capable of causing widespread chaos. GPKI is the root that guarantees the trust of all digital government operations.
- Potential attack scenarios: What could an adversary holding this ‘digital master key’ do?
- Impersonate any official: Issue fake orders, sign forged official documents as if they were authentic, and access systems that require GPKI authentication.
- Disseminate false information: Create official-looking public alerts or press releases to cause social panic or manipulate financial markets.
- Destroy critical infrastructure: If GPKI certificates are used in control systems for national infrastructure (power, water, transportation), their misuse could lead to physical destruction—catastrophic consequences.
- Erode public trust: The mere fact of this compromise can shake citizens’ trust in digital government services, causing people to avoid digital interaction with the state. The government’s admission of the breach itself underscores the reality of this threat.
The GPKI breach elevates the threat from passive ’espionage’ (stealing information) to active, “nation-level manipulation.” Traditional hacking steals data; its value lies in what the attacker learned. But GPKI underpins the authenticity and integrity of government digital actions. Stealing GPKI keys means acquiring the ability to create and approve documents as a legitimate government actor, not just read them.
This enables attackers to directly influence both information and military domains. They can issue credible fraudulent commands. Therefore, this is a strategic-level threat that transcends cybersecurity—it’s a national security crisis requiring leadership at the highest levels, not just the IT department.
Part 3: Blueprint — we can’t stay like this; how to change
So how do we fix the catastrophic failures identified in Part 2? Here we propose a comprehensive, layered defense strategy using modern security paradigms.
3.1 Mandate Zero Trust: a new security paradigm
- Core philosophy: “Never trust, always verify”: Bottom line: retire the failed ‘Castle and Moat’ model and implement a Zero Trust Architecture (ZTA) immediately. This paradigm assumes the network is already compromised. Regardless of network location (internal or external), every user, device, and application requesting access to any resource must be strictly and continuously verified.
- Link to national policy: Fortunately, this is not pie-in-the-sky. The Republic of Korea has already published ‘Zero Trust Guideline 1.0’ and a maturity model for implementation (‘2.0’). The problem is execution.
- Key implementation elements:
- Identity (ID): All users (human and machine) must be strongly and continuously authenticated. A single login is not enough.
- Devices: All devices must be inventoried and must prove their security posture (patch level, running processes, etc.) before being granted access.
- Network: Treat the network as hostile. Encrypt all traffic and segment the network finely to prevent lateral movement (see 3.3).
- Least-Privilege Access: Grant users and applications only the minimum privileges needed for the shortest time necessary.
Table 1: Comparative analysis of security models
This table makes clear why we must change.
Feature Traditional Perimeter Model (Past) Zero Trust Architecture (Present/Future) Core philosophy “Trust, but verify” “Never trust, always verify” Security focus Perimeter (network exterior) Data, assets, resources (everywhere) Network assumption ‘Internal’ is safe and trustworthy Network is always hostile and breached Primary defenses Firewalls, VPNs, IDS/IPS Strong ID authentication, device attestation, micro-segmentation Access control Broad network access allowed (internal-friendly) Least privilege and fine-grained access for every request Biggest weakness Insider threats and lateral movement Complex implementation and policy management (addressable with technology)
3.2 Achieve panoramic visibility and automated response with XDR
- Security stack integration: Enforcing Zero Trust requires visibility. You have to be able to see what’s happening to stop it. XDR (Extended Detection and Response) aggregates data from endpoints (EDR), network, cloud, email, identity systems, and more—correlating across all security layers to provide that visibility.
- AI-based threat hunting: XDR uses AI and machine learning to analyze vast amounts of data and detect subtle patterns or anomalies—like lateral movement attempts seen in the GPKI incident—automatically. It changes defense from reactive to proactive.
- Automated response playbooks: When a threat is detected, XDR can execute predefined playbooks. For example, if a Cobalt Strike beacon is detected, the system can automatically isolate the infected endpoint from the network, block C2 communication at the firewall, and disable the associated user account—within seconds. This dramatically reduces response time and contains breaches.
3.3 Contain compromise: implement micro-segmentation
- Build more walls inside the castle: This is absolutely critical. **Micro-segmentation** is the practical application of Zero Trust principles to the network. In short, it divides the network into very small isolated zones down to the application or workload level.
- Prevent lateral movement: Communications between these zones are denied by default and only allowed by explicit policy. Had this been in place, an attacker who breached the VPN would not have been able to reach the GPKI zone because there would be no legitimate network path between those zones. Micro-segmentation confines breaches to small areas so that a minor intrusion cannot escalate into a catastrophic failure.
3.4 Build phishing-proof foundations: the case for FIDO/WebAuthn
- Technical solution to AiTM: How do we stop that clever AiTM phishing? The solution is FIDO/WebAuthn standards.
- How it works: During registration, the user’s device (a hardware security key or smartphone) generates a unique cryptographic key pair (public/private). The private key never leaves the device. During login, the server issues a ‘challenge’ which the device signs with the private key; the server verifies the signature with the public key.
- Phishing resistance: These keys are bound to the legitimate website’s domain, so a phishing site with a different domain cannot get a valid signature. The device simply will not respond. This cryptographically neutralizes the AiTM attack chain. Implementing this across all critical government systems is essential. The government’s move toward biometric mobile IDs is a positive step in this direction.
A system that eliminates “shareable secrets” like passwords or one-time codes
3.5 Strengthen foundational security: mandate SBOMs for software supply chain integrity
- Address root causes: Recall that this incident began with a vulnerability in a third-party product (Ivanti VPN). We were compromised due to software we didn’t write. We must address the enormous inherent risk in the software supply chain.
- Role of SBOM: **SBOM (Software Bill of Materials)** is a formal inventory of all components, libraries, and dependencies within a software product.
- Mandate transparency: The government should require vendors to submit SBOMs as a procurement condition. Then, when a new vulnerability is disclosed, security teams can instantly query the SBOM database to determine which government systems are affected and accelerate patching. This aligns with global trends in the US and EU and with existing domestic guidelines.
SBOM (Software Bill of Materials)
3.6 Train a combat-ready workforce: adversarial simulation and talent development
- From compliance to combat readiness: Technology alone is not enough. People matter. Security cannot be reduced to paperwork or theoretical exercises. The government must run realistic and continuous adversarial simulation (red team vs blue team) programs.
- Red Team: Simulates attackers using the same TTPs as Kimsuky to test our defenses.
- Blue Team: The internal defenders who detect and block the Red Team’s attacks.
- Purple Team: Facilitates communication between Red and Blue to extract lessons and improve defenses.
- Use national training programs: In addition to these internal exercises, participate actively in government-led cross-ministry cyber crisis response drills covering scenarios like phishing campaigns and DDoS attacks.
- Invest in human capital: National strategies like ’national cybersecurity talent development’ are good starts. We must cultivate elite cybersecurity professionals with practical skills. This requires university programs, hands-on training centers, and clear career paths for public-sector security experts.
3.7 Collective defense: strengthen domestic and international threat-sharing systems
- Optimize the C-TAS system: We cannot struggle in isolation. The Cyber Threat Analysis & Sharing system (C-TAS) must act as the national hub for threat intelligence. Indicators of compromise (IoCs) and TTPs from incidents like the GPKI breach should be automatically distributed in machine-readable formats to all government agencies and critical infrastructure partners. Quality, timeliness, and actionability of data are key.
- Deepen international cooperation: Nation-state attacks are a global issue. South Korea must deepen intelligence-sharing partnerships with allies—getting early warnings on new campaigns, sharing threat actor analysis, and coordinating diplomatic and law enforcement responses.
Cyber Threat Analysis & Sharing system (C-TAS)
Conclusion: painful lessons and strategic tasks that must start immediately
Summary. The GPKI breach incident is a painful lesson. Our analysis shows it is a symptom of deeper structural maladies. This cannot be fixed with mere band-aids; the structure must be changed.
For national leadership, I have prioritized the strategic tasks to modernize our cyber defense posture.
- Immediate priorities (0–6 months):
- Mandate adoption of phishing-resistant MFA (FIDO/WebAuthn) for all high-risk accounts and critical systems immediately.
- Conduct urgent audits of all internet-connected systems and order immediate patching of known vulnerabilities.
- Accelerate deployment of EDR/XDR solutions across all government endpoints and servers.
- Medium-term priorities (6–24 months):
- Using national guidelines as a roadmap, formally adopt a whole-of-government Zero Trust Architecture and begin phased implementation.
- Implement network micro-segmentation, starting with protection of critical assets like GPKI.
- Require SBOM submission in all new software procurement contracts.
- Long-term strategic priorities (24+ months):
- Establish a permanent, whole-of-government Red Team to provide ongoing adversarial testing.
- Fully support and implement a national cybersecurity talent development strategy to build a sustainable defense workforce.
- Deepen international intelligence-sharing agreements focused on nation-state threat actors.