South Korea Reports 26% Surge in Cybersecurity Breaches as AI-Powered Attacks Reshape Threat Landscape

Breached Company

Breached Company

7 min read
South Korea Reports 26% Surge in Cybersecurity Breaches as AI-Powered Attacks Reshape Threat Landscape

South Korea's Ministry of Science and ICT has released a sobering annual report revealing that cybersecurity breaches reported to authorities jumped 26% in 2025, climbing from 1,887 incidents in 2024 to 2,383 last year. The sharp increase underscores a dramatic shift in both the scale and sophistication of cyber threats as attackers increasingly leverage artificial intelligence to automate and enhance their operations.

The “Korean Leaks” Data Heist: How North Korea’s Moonstone Sleet and Qilin Ransomware Weaponized an MSP to Target South Korea’s Financial Sector
Bottom Line Up Front: In September 2025, a sophisticated hybrid cyber operation named “Korean Leaks” devastated South Korea’s financial sector through a single managed service provider (MSP) breach, compromising 28 asset management firms and exfiltrating over 1 million files totaling 2TB of data. The campaign represents a dangerous convergence of
Breached CompanyBreached Company

Executive Summary

The 26% year-over-year increase in reported cybersecurity incidents represents more than just rising numbers—it signals a fundamental evolution in cyber warfare tactics. With server intrusions accounting for 44.2% of incidents and DDoS attacks representing 24.7%, South Korea experienced attacks across critical infrastructure sectors that directly impact citizens' daily lives, including mobile networks, financial services, education, and healthcare.

The report highlights an alarming trend: hackers are no longer content to target traditional high-value sectors like research, manufacturing, and energy. Instead, they've expanded their operations to education and medical institutions, sectors that hold vast repositories of personal data but historically have had weaker security postures.

The Numbers Tell a Story

2,383 total cybersecurity breaches in 2025 (up from 1,887 in 2024)

Breakdown by attack type:

  • 44.2% — Server intrusions
  • 24.7% — Distributed Denial-of-Service (DDoS) attacks
  • 14.9% — Malicious code incidents (including ransomware)
  • Remaining incidents — Various other attack vectors

The Ministry of Science and ICT emphasized that "the scope of hackers' targets has expanded to the education and medical sectors, beyond previous targets that included research, manufacturing and energy institutions."

AI: The Force Multiplier

What makes the 2025 surge particularly concerning is the role of artificial intelligence in enabling more sophisticated and coordinated attacks. The ministry's report explicitly states that "hacking tactics are becoming more advanced through AI-based automation and coordinated attacks."

This AI-driven evolution manifests in several ways:

Automated Reconnaissance and Target Selection

AI algorithms can scan massive networks, identify vulnerabilities, and prioritize targets far faster than human operators. This allows threat actors to operate at scale, moving from reconnaissance to exploitation in minutes rather than days.

Coordinated Multi-Vector Attacks

Rather than simple, isolated intrusions, modern attackers are deploying AI to orchestrate complex, multi-stage campaigns that hit multiple points simultaneously, overwhelming defenses designed to handle single-threat scenarios.

Adaptive Malware

Machine learning enables malware that can modify its behavior in real-time based on the security controls it encounters, making signature-based detection increasingly obsolete.

The Deepfake Threat: 2026 and Beyond

Perhaps most alarming is the ministry's warning about emerging threats for 2026. Government analysts predict that attackers will increasingly exploit "trust-based communication methods" using deepfake technology capable of generating realistic voices and videos.

"In 2026, hackers may even seek to infiltrate 'trust-based communication methods,' such as real-time voice calls for virtual meetings, using deepfake technology that generates voices and videos," the report states.

This represents a dangerous evolution beyond traditional phishing. Imagine a scenario where a CFO receives what appears to be a video call from their CEO, complete with accurate voice and appearance, requesting an urgent wire transfer. Current security awareness training doesn't adequately prepare organizations for this level of deception.

AI Models as Direct Targets

The ministry also warned that attackers may begin directly targeting AI systems themselves:

"Attackers may inject malicious information into chatbots, analysis programs or security platforms to cause malfunctions or information leaks."

This technique, known as "AI poisoning," could have devastating consequences:

  • Customer service chatbots could be manipulated to leak sensitive customer data
  • Security analysis platforms could be compromised to ignore genuine threats
  • Business intelligence systems could be fed false data to mislead strategic decisions

Recent High-Profile Incidents

South Korea's cybersecurity challenges aren't abstract—the country experienced several major breaches in 2025 affecting platforms closely connected to citizens' daily lives:

KT Data Breach

In September 2025, South Korea's second-largest wireless carrier KT Corporation suffered a significant data breach. KT CEO Kim Young-shub publicly apologized for the incident during a December 30, 2025 press briefing, bowing in the traditional Korean gesture of deep contrition. The breach affected mobile network services relied upon by millions of South Koreans.

Financial Services Targeting

Multiple financial institutions faced coordinated attacks throughout 2025, prompting emergency security reviews across the banking sector. While specific institution names were not disclosed in the government report, sources indicate that several major banks experienced attempted intrusions.

Geopolitical Context

South Korea's cybersecurity challenges exist within a complex geopolitical environment. The country faces persistent cyber threats from multiple directions:

North Korea

The DPRK operates one of the world's most active state-sponsored hacking programs, targeting South Korean entities for espionage, financial gain (particularly cryptocurrency theft), and disruption. North Korean threat actors like the Lazarus Group have demonstrated increasingly sophisticated capabilities.

China

Chinese state-sponsored groups have long targeted South Korean entities, particularly around the deployment of US THAAD missile defense systems and during trade disputes. AI-powered reconnaissance and exploitation tools give these actors unprecedented scale.

Russia

While less focused on South Korea than other regions, Russian cybercriminal groups and state-sponsored actors have increasingly targeted the Asia-Pacific region, particularly as Western sanctions have intensified.

Domestic Cybercrime

South Korea's advanced digital economy and high technology adoption make it an attractive target for financially motivated cybercriminals worldwide.

Government Response

The Ministry of Science and ICT announced several countermeasures for 2026:

AI-Based Prevention Programs

"The government will operate AI-based prevention and response programs and take preemptive actions to address security blind spots to create a reliable cyber environment."

This represents a recognition that traditional signature-based defenses are insufficient. By deploying AI-powered security tools, South Korea aims to match the sophistication of attackers.

Enhanced Security Readiness

The ministry called on businesses to enhance their security readiness, particularly around:

  • Supply chain security — Third-party vendors represent significant risk
  • Zero-trust architecture — Moving away from perimeter-based security models
  • Continuous monitoring — Real-time threat detection and response
  • Employee training — Preparing staff for AI-powered social engineering

Cross-Sector Coordination

The report emphasizes the need for better information sharing between government, critical infrastructure operators, and private sector organizations.

Implications for Global Cybersecurity

South Korea's experience offers important lessons for the rest of the world:

1. AI is Democratizing Advanced Attacks

What once required nation-state resources can now be accomplished by smaller groups using AI tools. This democratization of sophisticated capabilities means more organizations face advanced threats.

2. Traditional Security Awareness Training is Obsolete

When deepfakes can convincingly impersonate executives, clicking on suspicious links is no longer the primary threat vector. Organizations need training that addresses AI-powered social engineering.

3. Critical Infrastructure Requires Nation-State Level Protection

As attackers expand beyond traditional targets to education, healthcare, and municipal services, these sectors need security investments previously reserved for defense contractors and financial institutions.

4. Real-Time Threat Intelligence is Essential

The speed of AI-powered attacks means that yesterday's threat intelligence is already obsolete. Organizations need continuous, real-time threat feeds and automated response capabilities.

5. International Cooperation is Critical

Cyber threats don't respect borders. South Korea's experience underscores the need for international information sharing, coordinated responses, and common security standards.

What Organizations Should Do Now

Immediate Actions

Audit AI Exposure
Identify where your organization uses AI systems (chatbots, analysis tools, automated decision systems) and assess their security controls.

Implement Multi-Factor Authentication Everywhere
If deepfakes can impersonate executives, MFA becomes your last line of defense.

Deploy AI-Powered Security Tools
Traditional signature-based defenses cannot detect novel AI-generated attacks. Behavioral analysis and anomaly detection become critical.

Update Incident Response Plans
Ensure your IR plan addresses AI-powered attacks, including deepfake scenarios and AI model poisoning.

Establish Verbal Authentication Protocols
For high-value transactions, implement pre-agreed verbal pass phrases or out-of-band confirmation via secondary channels.

Strategic Initiatives

Zero Trust Architecture
Move beyond perimeter security to continuous verification of all users, devices, and applications.

Security Operations Center Modernization
Ensure your SOC has the tools, training, and threat intelligence to detect and respond to AI-powered threats.

Third-Party Risk Management
Extensively audit your supply chain. Remember: you're only as secure as your weakest vendor.

Executive Education
Ensure C-suite and board members understand AI-powered threats and can make informed decisions about security investments.

Cyber Insurance Review
Verify that your policies cover AI-related incidents, including deepfake fraud and AI model compromise.

The 2026 Threat Landscape

As we move through 2026, expect to see:

  • Deepfake-powered business email compromise at scale
  • AI model poisoning becoming a standard attack technique
  • Automated vulnerability discovery enabling zero-day exploitation within hours of patch release
  • Coordinated, multi-stage attacks that combine ransomware, data theft, and DDoS
  • Attacks on AI training data designed to compromise models before deployment

Conclusion

South Korea's 26% increase in cybersecurity breaches represents more than just rising numbers—it's a canary in the coal mine for the global cybersecurity community. As AI democratizes sophisticated attack capabilities and expands the pool of viable targets, every organization must fundamentally rethink its security posture.

The days of treating cybersecurity as an IT problem are over. When deepfakes can impersonate your CEO, when AI can poison your business intelligence systems, and when automated attacks can move from reconnaissance to exploitation in minutes, cybersecurity becomes a core business risk that demands board-level attention and executive commitment.

South Korea's government has recognized this reality and is responding with AI-powered defenses and enhanced coordination. The question for organizations worldwide is simple: will you adapt to this new reality before or after you become another statistic in next year's breach report?

About the Author
This analysis is published by CISO Marketplace, providing security leaders with actionable intelligence on emerging threats and effective countermeasures.

Sources:

  • Ministry of Science and ICT, Republic of Korea
  • Yonhap News Agency
  • KT Corporation Public Statements

Read more

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

March 4, 2025 — In one of the most sweeping international cybercrime enforcement actions of the year, the Federal Bureau of Investigation, Europol, and law enforcement agencies spanning 14 countries have dismantled LeakBase — a massive open-web forum where cybercriminals bought, sold, and traded stolen data from breaches targeting American corporations, individuals,

By Breached Company