A Lesson to Learn from Cybersecurity Vulnerabilities in South Korea’s Election Systems

Transparency

In the midst of heated debates and swirling suspicions about election fraud in South Korea, a growing chorus demanded nothing less than complete transparency. Rather than fueling endless speculation, experts believed that a comprehensive cybersecurity audit was the only way to address these concerns with concrete evidence.

Breaking the Silence

On October 10, 2023, a breakthrough came when the National Intelligence Service (NIS) issued a press statement detailing the results of a joint cybersecurity inspection. This investigation, a collaborative effort between the National Election Commission (NEC), NIS, and the Korea Internet & Security Agency (KISA), set out to uncover vulnerabilities that could compromise the electoral process.

An In-Depth Investigation

From mid-July to late September 2023, a dedicated team from these organizations worked tirelessly behind the scenes. Their mission was clear: scrutinize everything from system vulnerabilities and hacking response capabilities to the security management of critical information and communication infrastructure. The team, which even included observers from both ruling and opposition parties to ensure impartiality, soon began unraveling a web of security flaws that threatened the very foundation of South Korea’s democracy.

Alarming Flaws in the Voting Systems

The investigation painted a troubling picture. At the heart of the electoral system, the integrated voter registration system was found to have weak access controls. This oversight meant that hackers could potentially slip into the NEC’s internal network, altering voter statuses or even registering phantom “ghost voters.” In another alarming discovery, digital files of official stamps used in early voting ballot management were susceptible to theft, allowing unauthorized parties to print counterfeit ballots complete with matching QR codes. Even the online voting system was not immune; inadequate voter authentication made it disturbingly possible for someone to cast a vote on behalf of a legitimate citizen.

Cracks in the Vote Counting Systems

The vulnerabilities did not stop at the voting stage. The systems responsible for counting votes also showed signs of weakness. Inside the NEC’s secure internal network, there existed the potential for a malicious actor to alter final vote totals. Vote-sorting machines, which ideally should be impenetrable, were found to be at risk from simple USB exploits and even wireless interference—each a potential backdoor for tampering with the democratic process.

Kimsuky Breach Exposes NEC Vulnerabilities

Kimsuky, also known as Velvet Chollima, is a notorious North Korean state-sponsored hacking group renowned for its high-profile cyber espionage campaigns. The group has been linked to several infamous incidents, such as the 2014 breach of Korea Hydro & Nuclear Power and various attacks on South Korean government agencies. In April 2021, the National Intelligence Service (NIS) reported that Kimsuky targeted a senior official at one of the National Election Commission’s (NEC) regional offices by compromising a private email account. The hackers, posing as trusted colleagues, deployed malicious code to steal confidential information and classified documents. Although this incident involved only an individual account rather than a full-scale network infiltration, it exposed significant vulnerabilities within the NEC’s cybersecurity framework, intensifying concerns about the security of South Korea’s electoral infrastructure.

Systemic Security Oversights

As the investigation dug deeper, more systemic issues came to light. Critical internal networks were not properly segregated from the internet—a practice standard in high-security industries such as finance. This lack of isolation, combined with weak, easily guessable passwords (sometimes as simple as “12345”) and the storage of sensitive data in plain text, significantly increased the risk of large-scale data breaches. Even the NEC’s own self-assessment was misleading; while they had awarded themselves a perfect score, independent reevaluations exposed a staggering gap, with scores plummeting to as low as 31.5 out of 100.

Expert Testimony

Adding to these concerns, former NIS Third Deputy Director Baek Jong-uk, who testified as a witness at President Yoon Suk-yeol’s impeachment trial, delivered a damning account of the NEC’s cybersecurity shortcomings. Speaking at the Constitutional Court on the 11th hearing day, Baek revealed that a thorough analysis of the NEC’s integrated system audit report uncovered multiple vulnerabilities and glaring deficiencies in security management. He explained that the NEC’s work network and election network were not fully segregated—there existed connection pathways that hackers could exploit to penetrate internal systems. “If the election system is attacked, it could trigger societal chaos,” Baek warned.

Baek also recounted that the NEC had proactively sought guidance on how to manage these security checks, having never undergone such evaluations before. While the NEC argued that vulnerabilities emerged simply because they provided the requested information, Baek countered that these issues were common across various agencies. He noted that the NIS security check covered only 5% of the NEC’s 6,400 devices—just 317 units—due to imposed limitations, even though more extensive testing was needed. Emphasizing the risk of hacking, he pointed out that 74% of North Korea-linked cyber incidents from 2020 to 2022 were due to hacking email attacks, with even a single malicious email capable of compromising the internal network. He further highlighted the lax password management in the vote-counting systems, which could allow an attacker to alter entire vote counts, thereby jeopardizing the integrity of the democratic process. Baek’s testimony culminated in a stark warning: if these vulnerabilities are left unaddressed, they could plunge the nation into chaos and damage South Korea’s standing as an IT powerhouse.

Beyond Server Logs: A Comprehensive Approach to Cybersecurity Assessments

Beyond reviewing server logs, professional cybersecurity investigations typically include a wide range of assessments and tests to ensure comprehensive coverage.

• Vulnerability Assessments: Automated tools and manual reviews help scan networks, systems, and applications for known vulnerabilities, outdated software, and misconfigurations.
• Penetration Testing (Ethical Hacking): Simulated cyberattacks are conducted to identify exploitable vulnerabilities in your systems. This process helps determine how far an attacker could penetrate your defenses.
• Configuration Audits and System Hardening Reviews: Evaluating the security configurations of operating systems, network devices, firewalls, and applications ensures that they adhere to industry best practices and are properly hardened against attacks.
• Access Control and Identity Management Audits: Assessing user privileges, authentication mechanisms, and the overall identity management framework ensures that access rights follow the principle of least privilege and are properly monitored.
• Security Policy and Process Evaluations: Reviewing cybersecurity policies, procedures, incident response plans, and change management processes helps identify gaps in the organization’s overall security posture.
• Threat Intelligence and Continuous Monitoring: Integrating threat intelligence feeds and employing continuous monitoring solutions (beyond just log reviews) help detect anomalies, emerging threats, and potential breaches in real-time.
• Application Security Testing: Conducting code reviews and testing web and mobile applications for common vulnerabilities—such as SQL injection, cross-site scripting, or insecure API configurations—ensures software security from the inside out.
• Wireless and Remote Access Security Assessments: Testing the security of wireless networks and remote access configurations (like VPNs) ensures that all entry points are secured against unauthorized access.
• Physical Security Assessments: Evaluating the physical security measures that protect hardware, network infrastructure, and data centers is also crucial, as physical access can lead to cybersecurity breaches.
• Incident Response and Forensic Readiness Reviews: Examining how previous incidents were managed and ensuring robust forensic capabilities are in place helps prepare the organization for future cybersecurity events.

By combining these assessments with regular server log reviews, organizations can gain a much clearer and holistic picture of their cybersecurity condition, identifying not just external threats but also internal vulnerabilities and procedural gaps.

Ineffective Incident Response

Perhaps most concerning were the findings related to how the NEC responded to security incidents. Over the past two years, multiple hacking attempts—some linked to North Korea—went undetected. In one instance, compromised staff email accounts were not promptly reported to affected employees, leaving them vulnerable to repeated attacks. In another, malware infiltrated a network-connected NEC computer, leading to the leak of confidential documents and highlighting the dire need for a more robust incident response strategy.

Steps Toward Reform

In response to these revelations, the NEC has embarked on a journey of rapid and significant reform. Immediate measures have been taken to secure network connection points, enforce robust user authentication protocols, and ban weak password practices. In the coming months, there is a determined effort to patch vulnerabilities before the next major election cycle. Beyond these technical fixes, there is a growing call for transparency—urging the NEC to share detailed information about its security practices, vendor choices, and system monitoring procedures with the public and independent experts alike.

The Imperative of Network Segregation and Encryption

A central theme of the audit was the critical need for strict network segregation. In industries where the stakes are equally high—like finance—internal systems are kept isolated from the internet to prevent unauthorized access. For the NEC, adopting a similar approach would mean protecting sensitive voter data and ensuring that the integrity of each vote is never compromised by external threats. Equally vital is the need for robust data encryption. With current practices leaving sensitive data in plain text, there is an urgent call to implement modern encryption standards to secure information, even if hackers manage to breach other defenses.

Rebuilding Trust in Democracy

This audit is not merely a technical evaluation; it is a narrative of vigilance, accountability, and the relentless pursuit of trust in a democratic society. The NEC, as the custodian of the electoral process, now faces the dual challenge of strengthening its cybersecurity defenses while also rebuilding public trust. Regular independent audits, continuous system updates, and an unwavering commitment to transparency are seen as essential steps to ensure that every vote is counted securely and accurately.

A Roadmap for the Future

In the end, the story of this cybersecurity audit serves as both a warning and a roadmap. It reminds us that in an age where technology underpins democracy, safeguarding the electoral process is as critical as safeguarding the vote itself. Only through decisive action and a steadfast commitment to openness can South Korea ensure that its democracy remains resilient against the evolving threats of the digital world.