보도자료251017온나라.hwp (2 MB)

South Korea’s National Intelligence Service reported unauthorized access to Onnara and related public-sector administrative systems after obtaining advance intelligence about compromises affecting government and private organizations. The attacker appears to have acquired government GPKI certificates and passwords, studied the authentication flow, and used six certificates and six domestic or foreign IP addresses to pass through the government G-VPN remote access system from September 2022 through July before reading materials in Onnara. Additional exposure included ministry mail-server source code, GPKI passwords, about 180 public-official email accounts that may have accessed phishing sites, telecom server certificates or access files, and a media company VPN login page. Phrack attributed the activity to North Korea’s Kimsuky, but NIS stated that technical evidence was not sufficient to determine the actor and said it was still analyzing IP history, certificate theft patterns, attack methods, targets, Chinese-language translation traces, and possible Taiwan-related activity. The response included blocking the six abused IP addresses, revoking compromised GPKI certificates, changing passwords, strengthening remote-access MFA, changing Onnara authentication logic, tightening server access controls, and fixing source-code weaknesses.