ESRC describes Operation Water Tank as a quiet watering-hole campaign conducted from April to May 2018 against South Korean think tanks, North Korea-related organizations, military-related websites, and other diplomacy, security, and unification research targets. Attackers compromised specialized Korean websites and inserted exploit code for Korean software, especially ActiveX control vulnerabilities, so visitors in the intended target community would be infected. The campaign used obfuscation, scripts disguised as legitimate website code, and a temp.vbs flow that ESRC says matched earlier 2017 watering-hole activity against Korean targets. ESRC assesses the activity as state-sponsored based on telemetry overlap with prior intrusions against South Korean defense, financial security, defense-agency, enterprise, and financial-sector targets, and notes code similarities reaching back to older Korean incident activity.