The Kyowon Group (Kyowon), a South Korean conglomerate, disclosed that a cyberattack has disrupted its operations and customer information may have been exposed in the incident.
South Korean giant Kyowon confirms data theft in ransomware attack
The Kyowon Group (Kyowon), a South Korean conglomerate, disclosed that a cyberattack has disrupted its operations and customer information may have been exposed in the incident.
The company published a statement earlier this week saying that it recently learned that its systems had been targeted in a suspected ransomware attack.
In a subsequent update today, Kyowon confirmed the ransomware incident, disclosing that it occurred on January, around 10 a.m., and that the attacker exfiltrated customer data.
Kyowon is a well-established South Korean conglomerate specializing in education and publishing, digital learning tools, hospitality, and various consumer services.
According to Korean media, there are over 9.6 million accounts registered with the company, corresponding to about 5.5 million people, who may have had their information exposed to hackers.
The same outlets report that the ransomware attack has impacted roughly 600 out of Kuowon’s 800 servers.
The cyber-incident at Kyowon became apparent due to service outages earlier this week, with the company announcing an immediate response, notifying Korea’s Internet & Security Agency (KISA), and promising to inform customers if a data leak is confirmed.
The latest announcement published on the Kyowon website earlier today confirms that some data was stolen during the attack, but there is no confirmation that customer information has been impacted.
“The KyoWon Group has confirmed the existence of an external data leak and is conducting a detailed investigation in cooperation with relevant authorities and security experts to determine whether customer information was actually included. If the leak is confirmed, the company plans to provide transparent information,” the company says in the latest update.
At the same time, the company is working to restore its online services, a process that is reportedly in its final stages.
As of this writing, no major ransomware groups have claimed the attack at Kyowon. BleepingComputer has contacted the firm to ask for more info about the attack, but we have not received a response by publication time.
The Kyowon breach is the last in a series of large-scale cyberattacks impacting South Korean companies, some of which exposed the sensitive data of large swaths of the country’s population.
In December 2025, retail giant Coupang suffered a data breach that impacted 33.7 million customers, while Korean Air, the country’s flag carrier, also disclosed a cybersecurity incident exposing its staff.
In May 2025, SK Telecom disclosed that it had suffered a malware breach since 2022, which exposed the USIM data of 27 million subscribers.
Around the same time, Dior’s Korean shop disclosed a security incident that exposed customer order information to hackers.
After each campaign, NoName057(16) actors focus on visibility and reinforcement. Operators publish screenshots, outage confirmations, and performance statistics across social platforms to keep supporters informed about the outcome of each attack. An internal leaderboard and reward system is available to keep participants engaged. The group then reviews the effectiveness of the operation, adjusts infrastructure or tooling as needed, and begins preparing the next campaign — creating a continuous cycle of selection, execution, and refinement.
The DDoSia attack tool itself has steadily evolved over the years. The first version was more of a proof of concept and worked only on Windows systems. It had limited functionality and relied on simple, easily blocked traffic-flooding techniques and virtually no defense evasion capabilities. Over time, NoName057(16) has kept evolving the tool and transformed it into a relatively sophisticated, modular and multiplatform weapon capable of working in Linux, ARM-based devices, Windows, and Android. The tool now incorporates multiple attack methods and more resilient, encrypted C2 mechanisms. Detection avoidance capabilities on recent DDoSia versions include traffic randomization and the use of realistic client signatures to confuse security tools in hopes they’ll ignore it.
“One of the most important aspects of DDoSia is undoubtedly its ability to execute different attacks depending on the capabilities of the node and the target. This allows it to adapt and remain efficient depending on the campaign and the device launching the offensive,” SOCRadar said in its report. The tool is designed in a way that participants with little technical knowledge can use it to easily generate DDoS traffic against targets, Jornet adds.
