In late September 2025, South Korea faced one of the largest technological disruptions in its history. Two fires at data centers, occurring within a week, crippled hundreds of government online services, including e-government portals, postal, and tax systems. The country’s prime minister called the situation a “digital paralysis.” There is speculation online that the events may be linked to a Phrack article about system intrusions carried out by a North Korean hacker.
Fires and “digital paralysis”
The first fire broke out on September 26 at the National Information Resources Service (NIRS) building in Daejeon and lasted for more than 22 hours. According to CNN and Korea Herald, the blaze was caused by lithium-ion batteries from the uninterruptible power supply catching fire while they were being replaced and moved to the building’s basement at the time of the incident.
NIRS serves as the backbone of South Korea’s e-government system, integrating the IT infrastructure of central ministries and local authorities. More than a third of the 1,600 government systems were hosted in the aforementioned data center.
Because of the fire, the temperature in the server room reached critical levels, and it is reported that the overheating of some batteries triggered a chain reaction that ignited others. A total of 170 firefighters and 63 fire engines were deployed to extinguish the blaze, but it was only brought under control by the following morning.
The consequences were catastrophic: 96 critical information systems went offline, and a further 551 services were preemptively shut down (to prevent damage from overheating). In total, 647 government online services ceased operation simultaneously.
The most serious damage was inflicted on the government cloud platform G-Drive — the Google Drive equivalent for civil servants. Since 2018, all 750,000 government officials in the country have been required to store work documents exclusively in this cloud. Each employee was allocated about 30 GB of space for reports, official documents, and files.
As it turned out, due to the system’s architecture there were no external backups of G-Drive (the backups were stored on separate equipment within the same building, and the fire destroyed both the primary data and their backups). As a result, according to the Korea Herald, the fire led to a complete and irreversible loss of data. In total, up to 858 TB of government information may have been irretrievably lost.
The Ministry of Personnel Management suffered the most, as employees were required to store documents exclusively in G-Drive. The agency is now attempting to recover information from local files saved on employees’ personal computers, email, and paper copies.
Also among the services shut down due to the fire were: the Government 24 public services portal, webmail systems, the mobile identification system (which created problems for travelers at airports), portals for filing complaints and paying taxes, and even the 119 emergency call system.
A week after the first incident, on October 3, a second fire occurred — this time at Lotte Innovate’s data center, also located in Daejeon. According to DataCenter Dynamics, it took less than an hour to put out. Twenty-one fire engines and 62 personnel were dispatched to the scene. The preliminary cause was also cited as a battery catching fire.
Two major fires at data centers in the same city within a single week is a statistically unlikely event, and it has raised many questions in the professional community. The media report that the incident was the result of accumulated systemic issues. In November 2023, there had already been a large-scale outage of administrative systems, after which experts recommended implementing a “twin server” system — a fully duplicated architecture with real-time data mirroring. However, these recommendations were never implemented.
An audit conducted in 2024 also found that NIRS systematically delayed the replacement of obsolete equipment, and some devices had failure rates exceeding 100%.
According to the Korea Herald, as of October 3 only 115 of the 647 affected systems had been restored — about 18%. The government initially promised to restore the affected services within two weeks, but experts expect the timeline will be extended.
To date, police have searched the NIRS headquarters and businesses involved in supplying the uninterruptible power supply system. Four people have been detained on suspicion of professional negligence, including one NIRS employee and three contractors responsible for moving the batteries.
The death of a 56-year-old senior official who oversaw the data center restoration work has also been linked to the incident. According to the South Korean newspaper The Dong-A Ilbo, on the morning of October 3 he was found near the central building of the government complex in Sejong and died shortly thereafter in the hospital. His mobile phone was found in a smoking area on the 15th floor. The official held a senior post at the Office of e-Government Innovation. The Ministry of the Interior and Safety emphasized that he was not involved in the fire investigation; however, the circumstances of his death are under investigation.
Theory of a Link to North Korea
In parallel with the investigation into the fires, an unexpected and almost conspiratorial theory emerged online. As many of our readers surely remember, in June 2025 the publication Phrack (the legendary e-zine that has been published since 1985) released a major investigation titled “APT Down: The North Korea Files.”
At the time, hackers using the handles Saber and cyb0rg wrote an article describing the compromise of a member of the North Korean espionage hacking group Kimsuky (also known as APT43 and Thallium). We published a detailed summary of that article.
The authors of the article claimed they managed to hack a workstation with a virtual machine and a VPS belonging to a North Korean hacker they referred to as “Kim.” This allowed them to compromise nearly 20,000 records and the Chrome and Brave browser histories belonging to the attacker, steal malware operation manuals, passwords and email addresses, as well as credentials for various tools.
As a result, Saber and cyb0rg obtained a massive trove of data on cyberattacks against South Korean organizations. According to the article, “Kim” had access to the internal networks of the South Korean government, including the Onnara system—an internal government portal. Stolen certificates from the Government Public Key Infrastructure (GPKI) were also found, as well as logs of attacks on the Ministry of National Defense, the Ministry of Foreign Affairs, and other South Korean government entities.
Now this Phrack publication has been supplemented with an interesting timeline: as it turned out, the authors of the article tried to warn the South Korean authorities about the attacks starting on June 16, 2025, informing the Defense Counterintelligence Command, KISA (the Korea Internet & Security Agency), KrCERT, and other agencies.
Next, according to Phrack’s chronology, the events unfolded as follows.
- September 24, 2025: South Korea’s parliament launched an investigation into possible hacking attacks from China and North Korea targeting the country’s critical government systems.
- September 25: the government announced an on-site inspection scheduled for September 26–27.
- September 26, evening: on the first day of the inspection, a fire broke out at the NIRS data center, completely destroying 96 servers, including the Onnara and GPKI systems — the very ones mentioned in the Phrack article as compromised.
- October 2: a second fire occurred at the Lotte IDC data center, which was also part of the investigation.
- October 3: the death of a 56-year-old official who oversaw the data center restoration efforts.
The Phrack authors note that the batteries, whose ignition is cited as the official cause of the fire, were manufactured by LG — the parent company of LG Uplus, which, according to their investigation, was also compromised by North Korean hackers.
As a result, a theory emerged online that the fires might have been part of an operation to destroy evidence, and that the official’s death was connected to the investigation of these cyberattacks. However, it should be emphasized that this is only a theory and has no official confirmation. The South Korean authorities are investigating the fires as the result of a technical malfunction and professional negligence, and the circumstances of the official’s death are being examined separately.