The number of reported cyber intrusion incidents last year rose by about 26 percent from a year earlier. Last year, intrusions mainly targeting infrastructure closely tied to daily life and supply-chain attacks threatened the public. The government urged vigilance this year over threats that abuse AI and secondary harm that exploits existing data leak incidents.

The Ministry of Science and ICT and the Korea Internet & Security Agency (KISA) on Jan. 27 released a "2025 Cyber Threat Trends" report and a "2026 Cyber Threat Outlook" report that included these findings.

The number of reported intrusion incidents last year was 2,383, up about 26.3 percent from 1,887 in 2024. By half-year, incidents rose sharply in the second half. The first half increased about 15 percent to 1,034 from 899 in 2024. The second half rose about 36.5 percent to 1,349 from 988 in 2024.

Ransomware infections this year were widely recognised by the public due to disruptions to daily life services such as online book retailers, but their share of total intrusion incidents was 11.5 percent, or 274 cases, not a high level. Still, it rose from the previous year’s 10.3 percent, or 192 cases, indicating a shift from a declining trend to an upward trend.

The ministry analysed last year’s cyber intrusion incidents with experts from 12 domestic and global companies, classifying them with a focus on public life, supply-chain security and ransomware.

The analysis found that last year, intrusion incidents occurred in succession in sectors closely tied to daily life, including telecommunications, distribution and finance. Incidents including an SK Telecom USIM hack, a Yes24 ransomware hack, and cases involving KT and Lotte Card unsettled the public.

There were also many supply-chain attacks that abused open-source and low-cost IoT ecosystems. Open-source platforms trusted by software developers were exploited as major attack routes. Cases also occurred in which IoT devices infected with malware before being formally launched entered the market on a large scale.

Targets of ransomware attacks increased and company-to-customer linked attacks intensified. Hacker targets expanded beyond research, manufacturing and energy into education and healthcare. Hacking techniques also became more advanced through AI-based automation and linked attacks.

The ministry also worked with experts from 12 domestic and global companies to classify expected cyber threats in 2026 into four themes: AI, asset management, cloud and personal intrusions.

This year, cyber attacks using AI are expected to become more sophisticated and diversified. In particular, deepfake voice and video phishing is likely to expand into real-time voice calls and video conferences, raising the possibility of directly threatening trust-based communication systems.

Attacks that target AI service models themselves are also expected to gather pace. Attackers may inject malicious content into chatbots, automated analysis systems and security AI, or manipulate training data to induce unintended malfunctions or information exposure.

Also this year, attacks targeting legacy systems that have reached end of service are expected to increase sharply. The end of support for Windows 10 could also become a catalyst for spreading attacks aimed at gaps in security updates.

As the use of cloud services accelerates, visibility to identify the location of information assets and changes in their status has increased. But the complexity of management and control has also increased, and security threats to cloud environments are expected to rise.

The outlook says that in 2026 in particular, beyond simple configuration errors or abuse of privileges, AI-enabled detection of cloud security vulnerabilities and automated privilege theft are expected to advance. It also expects attacks that combine and link multiple vulnerabilities, rather than simply attacking individual flaws, to become reality in cloud-native environments.

Secondary cyber threats using leaked personal information are also a concern. Last year, large-scale personal data leak incidents occurred at SKT in April, KT in September and Coupang in November, among others. If leaked personal information is collected and combined through various routes, it could be used for more sophisticated attacks such as voice phishing and smishing. The ministry’s analysis said careful vigilance is needed against the risk of secondary harm.

Choi Woo-hyuk (최우혁), director-general for Information Security and Network Policy at the ministry, said attacks using AI are expected to become reality and cyber threats are likely to become more intelligent and advanced, including attacks exploiting vulnerabilities in cloud environments. He said the government will operate an AI-based prevention and response system and proactively manage security blind spots to create a cyber environment in which the public can feel safe.