While Australia is coming to terms with the realities of hybrid threats, South Korea has long been on the front line. Reflecting its formal state of war with North Korea, South Korea has endured decades of grey-zone provocations, including infiltration attempts, cyberattacks and disinformation campaigns.
However, the hybrid threat landscape confronting South Korea is evolving in both intensity and complexity—just as it is for the broader Indo-Pacific. For South Korea, it now extends beyond North Korea’s traditional campaigns to encompass state actors such as China, emerging technologies such as AI, and threats including intellectual property theft.
Hybrid threats targeting South Korea. Source: ASPI.
Drawing on open-source data from government statements, cybersecurity firm alerts, media coverage and think-tank reports, ASPI has documented 81 hybrid activities targeting South Korea from January 2016 to April 2025. This broadly aligns with the same period of ASPI database mapping for Australia and follows the same categorisation of threat types: economic coercion, narrative and information campaigns, foreign interference, cyberattacks, military and paramilitary coercion, as well as diplomatic coercion. Two additional types were added —territorial violations and infrastructure sabotage— because South Korea specifically experienced these types of attacks. We assessed the activities based on the nature of the threats rather than their scale or strategic effect. The dataset does not include covert or unreported activities.
Military and paramilitary coercion accounted for the largest share at 40 percent of recorded activity. Unsurprisingly, North Korea was the primary threat actor, having conducted regular missile tests, developed nuclear weapons and engaged in armed provocations near the border with South Korea.
In the observed period, North Korea launched various ballistic missiles, including some of the Pukguksong and Hwasong types; as well as debuted the Haeil underwater nuclear attack drone and Hwasal strategic cruise missiles with simulated nuclear warheads. A peak in such activities occurred in response to South Korea’s decision to deploy a US THAAD anti-missile system in 2016. That deployment also soured relations with China, which in the same year responded by imposing unofficial sanctions by curbing tourism, restricting imports of cultural products and targeting South Korean businesses such as Lotte Group.
Cyberattacks were the second most frequent form of hybrid threat, accounting for 36 percent of all documented incidents. These operations involved both state- and non-state actors. Most attacks were linked to North Korean groups such as Lazarus, Kimsuky, Andariel and Diamond Sleet. The attacks targeted South Korean defence contractors, aerospace firms and government agencies.
The prolonged breach of SK Telecom from 2022 to 2025 was particularly damaging and exposed vulnerabilities in South Korea’s critical infrastructure. Malware went undetected for nearly three years, compromising the data of over 27 million users. Investigations suggest Chinese state-sponsored actors may have been involved. Non-state groups such as RATicate also targeted the country’s industrial sector, reflecting the expanding diversity of threat actors.
Economic coercion made up around 15 percent of incidents, much of which involved theft of intellectual property and sensitive technologies. Targets included semiconductor design and classified defence projects such as the KF-21 Bora Me fighter jet. These incidents underscore how hybrid threats increasingly blur the line between national security and industrial competitiveness.
Narrative and information operations, while less frequent (7 percent), aimed to exploit historical and social fault lines to disturb diplomatic relations. North Korean influence operations have incited anti-Japanese sentiment in South Korea by capitalising on public outrage over historical issues such as Japan’s wartime use of forced labour and comfort women, as well as Japan’s discharge of treated radioactive water from the Fukushima nuclear plant.
Territorial violations (5 percent) included border drone incursions, trash-filled balloons and gunfire across the Demilitarised Zone, further reinforcing North Korea’s coercive strategy.
Number of hybrid threat activities targeting South Korea, by threat category. Source: ASPI.
North Korea was responsible for 54 percent of documented hybrid threats. Its activities spanned all eight domains, with a particular focus on military and paramilitary coercion, cyberattacks, territorial violations and foreign interference. For cyberattacks, actors attributed to malicious groups such as Lazarus, served not only to disrupt or steal information but also generate illicit revenue used to fund Pyongyang’s military and nuclear weapons programs. That North Korea is the dominant threat actor is not novel. It reflects longstanding historical and geographical tensions and North Korea’s concerns with South Korea’s deepening security cooperation with the United States and Japan.
What’s of particular note, however, is the extent and visible escalation of China’s hybrid activities (23 percent), focusing primarily on economic coercion and narrative and information campaigns but contributing equally to cyber incidents. China’s main objectives are to extract economic advantage, discourage alignment with Western powers and shape the regional balance of power without creating an open conflict. Economic security concerns are especially prevalent as technology leaking is persistently linked to China. For instance, a former semiconductor executive was detained for passing technology to China. This is pushing major South Korean companies such as Samsung to implement multi-layered defence systems.
Meanwhile, non-state actors were responsible for cyber incidents (6 percent), ideologically motivated violent extremism (4 percent) and intellectual property theft (9 percent). Although South Korea does not use the term ‘ideologically motivated violent extremism’ it has been used here for comparative purposes with Australia. Such cases included high-profile attacks on political figures such as the 2024 stabbing of opposition leader Lee Jae-myung and the 2022 hammer assault on Song Young-gil.
Actors linked to hybrid threat incidents targeting South Korea. Source: ASPI.
The diverse nature of the hybrid threats mix is the key challenge for South Korea’s national security architecture. In response, Seoul has adopted a five-pronged strategy to address hybrid threats: military readiness, diplomacy, legislation, capability development and public awareness. This is a comparatively mature level of preparedness compared to other Indo-Pacific countries such as Australia.
Not all Seoul’s responses to hybrid threats appear in the public domain. However, the application of these capabilities appears heavily focused on countering North Korea, raising questions about the extent to which South Korea is prepared to address hybrid threats from China as the second-most prevalent threat actor. It presently seems mature capabilities do not necessarily equate to mature execution across all threat actors.
Under President Lee Jae-myung, Seoul has signalled a more conciliatory approach towards China, marking a shift from the previous administration of Yoon Suk Yeol. This has occurred as China has eased sanctions imposed following the 2016 THAAD deployment, including an unofficial ban on K-pop and South Korean cultural exports.
Lee has not made explicit statements on hybrid threats. His emphasis on re-engaging with North Korea and improving ties with China could suggest a more conciliatory foreign policy stance, which may complicate any efforts to take a tougher line on hybrid threats.
On the military front, South Korea conducted joint military exercises with the US, and trilateral drills with the US and Japan, showcasing strategic assets such as B-1B and B-52H bombers in response to a North Korean nuclear test. Additionally, after North Korea’s first-ever test of an intercontinental ballistic missile, South Korea and the US carried out a strike missile drill as a show of deterrence. While such exercises are framed as defensive, the distinction between deterrence and coercion often depends on timing, context and perception. This highlights the blurred lines of military signalling.
Diplomatically, South Korea has issued formal warnings, public condemnations and enhanced cooperation with international partners to counter evolving cyber threats.
Seoul has made significant legal and regulatory improvement through amendments to the Act on Prevention of Divulgence and Protection of Industrial Technology and the Unfair Competition and Trade Secret Prevention Act to counter intellectual property theft. These legal instruments have been complemented by international sanctions enforcement under UN Security Council resolutions, such as UN Security Council Resolutions 2270 and 2321, including bans on North Korean mineral exports and restrictions on banking and shipping. In June 2023, the government also pursued legal action against North Korea, demanding 45 billion won in damages for the 2020 destruction of the inter-Korean liaison office.
Efforts to enhance capabilities have included the deployment of advanced cyber defence systems and upgrades to air and missile defences, such as the Korean Air and Missile Defence system and the L-SAM interceptor. These systems are critical to defending against increasingly sophisticated missile and cyber threats. Public awareness has also been prioritised through regular briefings by the Joint Chiefs of Staff, media campaigns and legal proceedings, such as the Suwon District Prosecutors’ Office’s 2022 indictment of seven individuals for stealing proprietary semiconductor technology from a Samsung subsidiary and selling it to a Chinese firm.
South Korea’s response to hybrid threat incidents. Source: ASPI.
Our data found that the South Korean government has demonstrated a high level of responsiveness across various hybrid threats, with public awareness emerging as the most consistently applied strategy. This reflects investment in public communication and digital literacy, and strong civil society partnerships focussed on building long-term societal resilience. Further, the 2023 revision of the Unfair Competition Prevention and Trade Secret Protection Act, strengthened protections against technology leaks. The Yoon administration issued a National Security Strategy in 2023 and National Cybersecurity Strategy in 2024, which leveraged focus on military and cyber, although threat warnings mostly come from North Korea.
Despite these efforts, gaps remain. The election of President Lee Jae-myung in June may shift Seoul’s strategic focus, particularly because of his administration’s emphasis on domestic investment in domestic AI capabilities. This could strengthen South Korea’s ability to respond to future hybrid threats, including with the European Union and other regional partners through information- and experience-sharing focused on hybrid threat scenarios.
The country’s legal frameworks will need to evolve beyond its traditional focus on North Korea. For example, the 1948 National Security Act was enacted to address threats from North Korea; accordingly it primarily targets ‘adversaries’ rather than foreign states more broadly. Laws addressing foreign interference and digital influence operations are also urgently needed, as the current legal framework for countering foreign influence operations is largely limited to election campaigns.
ASPI’s work mapping hybrid threats targeting South Korea and Australia shows that the challenge is common across the Indo-Pacific. This reiterates the benefits of deeper cooperation and more coordinated multilateral responses.
In 2024, South Korea and the European Union agreed to develop a security and defence partnership that includes a focus on hybrid threats. Australia committed to negotiating a similar security and defence partnership with the EU in June. Addressing hybrid threats in partnership, leveraging the experience of EU member states who have long confronted Russia’s malign intent, may well be the remedy needed to ensure no Indo-Pacific country is confronted by hybrid threats alone.