China-Based Hackers Targeting South Korea Over THAAD: Report

China’s retaliation against South Korea for the deployment of THAAD continues.

China-Based Hackers Targeting South Korea Over THAAD: Report
Credit: U.S. Pacific Command

China-based hackers linked to the Chinese People’s Liberation Army targeted South Korean institutions involved in the deployment of an advanced missile defense system and radar, U.S.-based cybersecurity firm FireEye told the Wall Street Journal. The Terminal High Altitude Area Defense (THAAD) system and its accompanying AN/TPY-2 X-band radar system have been strongly opposed by China, which views their deployment on the Korean peninsula as a threat to its own security.

According to the Journal‘s report, FireEye found that “two cyberespionage groups … linked to Beijing’s military and intelligence agencies … launched a variety of attacks against South Korea’s government, military, defense companies and a big conglomerate.” If true, China’s moves demonstrate a marked escalation over its other retaliation against South Korea, which has included unofficial economic sanctions against South Korean firms operating in China.

FireEye notes that Chinese hackers haven’t suddenly turned their attention to South Korea; indeed, China-based hackers have long paid attention to the country, which is a U.S. ally. The increase in cyberattacks comes weeks after the United States and South Korea confirmed the delivery of the THAAD battery, which will be deployed at Gyeogsangbuk-do, in Seongju County.

FireEye offers additional detail on the groups involved: “One of the two hacker groups, which FireEye dubbed Tonto Team, is tied to China’s military and based out of the northeastern Chinese city of Shenyang, where North Korean hackers are also known to be active.” Another group, “known as APT10, may be linked to other Chinese military or intelligence units.”

The South Korean government has not confirmed the Journal‘s reporting on FireEye’s findings, but did note a cyber attack against its website earlier this year. In March 2017, South Korea announced that it would be raising its cyberattack alert level. Lotte Group, the South Korean conglomerate that sold land to enable the deployment of the THAAD battery, had its website attacked earlier this year as well.

South Korea’s Yonhap news agency also reported that “the home pages of 10 South Korean firms and some South Korean embassies in other countries have been disrupted by distributed denial of service attacks.”

In December 2016, North Korean hackers were able to hack South Korea’s cyber command. The South Korean government confirmed earlier in April that North Korean hackers were able to gain access to part of the U.S.-South Korea alliance’s secret war plan, known as OPLAN 5027.