Partners in the Cyber Trenches: EU-Republic of Korea Strategic Cybersecurity Cooperation

CSDS POLICY BRIEF • 29/2025

By Tae-Eun Song

13.11.2025

Key issues

• Europe and the Republic of Korea (ROK) face converging cyber threats from Russia, China and North Korea, whose collaboration poses a growing risk to European critical infrastructure.
• The European Union (EU)–ROK Security and Defence Partnership has laid a strong foundation for cybersecurity cooperation through joint exercises, intelligence sharing and coordinated threat attribution.
• Future cooperation should institutionalise this partnership via a Euro–Pacific Cyber Defence Exercise, a shared Cybersecurity Vision Statement and an Information Fusion Centre, leveraging the NATO + Indo-Pacific 4 (IP4) framework for broader Indo-Pacific collaboration.

Introduction

Recently, a series of cyberattacks targeting major telecommunications companies and critical infrastructure in many countries have repeatedly occurred, leading the affected nations to realise that their national security can be placed in an acute “crisis” state because even a single successful intrusion could cause catastrophic damage to command-and-control systems and critical data assets. While the global surge in cyber threats can be partly attributed to technological factors – such as the use of advanced attack techniques powered by artificial intelligence (AI) that influence cyberspace – more fundamentally, it is being dominantly driven by geopolitical dynamics. These include the intensifying rivalry between the United States (US) and China, the deepening confrontation centred around these two powers, and ongoing conflicts such as the prolonged Russia-Ukraine war and the wars involving Israel, Hamas and Iran, all of which have had a profound impact on the global cybersecurity ecosystem.

Many European countries and South Korea have advanced IT infrastructures and high levels of internet connectivity, which in turn increases their cyberattack surface. Additionally, as like-minded democratic allies or close partners of the US, many European countries and the ROK find themselves in similar political positions amid ongoing geopolitical tensions. Accordingly, the growing overlap among the countries targeting Europe and the ROK reflects the broader influence of strategic rivalry and geopolitical tensions between the liberal and the authoritarian blocs. Furthermore, since the Comprehensive Strategic Partnership Treaty between North Korea and Russia was signed in June 2024, the combined influence of North Korea’s cybercrime tactics with Russia’s destructive cyber capabilities, which include conducting cyberwarfare, is poised to create more aggressive cyber operations, amplifying both the scale and sophistication of their joint cyber operations. The target of such collectively offensive cyber operations will be directed toward Europe. This signifies that Europe and South Korea confront shared adversaries that they must fight together.

Since the outbreak of the Russia-Ukraine war, Russia’s cyberattacks on European telecommunications companies and critical infrastructure supporting Ukraine have been increasing, and China has also joined in these threats. In addition, North Korea – whose cyberattacks against the US have recently surged – has begun to view Europe as a new target, with attacks gradually on the rise. The Indo-Pacific region, where IP4 countries – Australia, Japan, New Zealand and South Korea – are located, experiences cyberattacks that are just as intense as in Europe, which has been affected by the Russia-Ukraine war. In other words, it is a region where Russia and China, major sources of cybercrime, North Korea with the highest amount of cryptocurrency theft globally, and countries with some of the world’s top cyber defence capabilities – the US, Australia and South Korea – are all present. Like Japan and Australia, South Korea has recently faced cyberattacks not only from North Korea but also from China and Russia.

In this context, this CSDS Policy Brief examines how Europe and South Korea can cooperate to address the rising cyber threats they are currently facing. It first reviews the cyber threats recently experienced by Europe and South Korea from Russia, China and North Korea, and considers the potential for North Korea’s cyber threats against Europe to increase further in the future. Finally, the policy brief concludes by proposing concrete cybersecurity cooperation agendas that Europe and South Korea could pursue going forward.

Countries targeting South Korea and North Korea’s evolving targets of cyber attacks

South Korea has experienced a significant surge in cyberattacks in recent years, particularly from North Korea. Between January and June 2025, the South Korean military recorded over 9,200 attempted intrusions – an increase of about 45% year‑on‑year. Most of these are believed to originate from North Korean state-linked actors, with widespread targeting of military websites, email systems and other defence-related networks.

China is also emerging as a more assertive cyber aggressor against South Korea, targeting government and infrastructure systems, and using advanced techniques such as AI-driven operations. Meanwhile, Russia-aligned hacking groups have stepped up activity against South Korea as well, particularly in connection with North Korea’s deeper military ties with Russia. These attacks remain less frequent than those attributed to North Korea, but are growing in prominence. North Korea has expanded significantly beyond its earlier focus on military and intelligence systems, shifting to more aggressive and diverse targets. Their operations now emphasise large-scale cryptocurrency thefts, infiltration of foreign IT workforces and espionage on critical infrastructure, including nuclear, aerospace, telecommunications and defence sectors.

According to the Microsoft Digital Defense Report 2023, from July 2022 through June 2023, the US was the country most targeted by North Korean hackers, accounting for 42% of all attacks conducted by the regime, while South Korea accounted for 16% and Europe and Central Asia together made up another 18%. This finding marks a striking shift, considering that until 2023, South Korea had been North Korea’s primary target for cyberattacks. It does not mean that North Korea’s cyber operations against South Korea have decreased – in fact, they have continued to grow – but what is significant is that since 2023, North Korea has been targeting the US almost three times more frequently than South Korea. The primary reason behind this shift is likely that the US’ digital financial market is both larger in scale and more attractive as a target for North Korea’s cryptocurrency theft operations.

Meanwhile, according to the report recently published by the Google Threat Intelligence Group (GTIG), heightened awareness, legal indictments and employment verification measures in the US have made it increasingly harder for North Korean IT workers, still primarily active in the US, to operate there, prompting a shift and expansion of their activities to other regions – especially Europe. North Korean IT workers are disguising themselves as remote freelancers from foreign countries to infiltrate European companies in Germany, the United Kingdom (UK) and Portugal. On 12 September 2024, the UK’s Office of Financial Sanctions Implementation issued an advisory on North Korean IT workers, urging the UK and European firms to conduct strict identity and employment checks, monitor red flags in remote hiring and ensure compliance to prevent inadvertently supporting DPRK-linked cyber or financial activity because their earnings are funnelled back to fund North Korea’s weapons programmes, violating sanctions.

Europe as a new playground for North Korea’s cyber attacks

On 1 October, the EU Agency for Cybersecurity (ENISA) published its Threat Landscape 2025 report, highlighting the main cyber threats facing Europe. While Russia (47%) and China (43%) remained the most active state-aligned cyber actors in terms of intrusions, the report notably ranked North Korea (36%) as the third most significant threat – above Iran – underscoring Pyongyang’s expanding cyber operations against the West.

According to ENISA, North Korea’s cyber activities fall into two main categories: financially motivated attacks, such as cryptocurrency heists and cyber espionage. In early 2025 alone, North Korean hackers stole more than US$2.17 billion worth of cryptocurrency from European companies, with Germany among the top targets. The second category, cyber espionage, involves operations by groups such as Lazarus and Chollima against defence, aerospace, media, energy and government sectors. These attacks likely aim to collect intelligence on Europe’s growing defence buildup and partnerships with South Korea, such as the Polish K2 tank deal. Pyongyang has also been observed using fake IT job applications to infiltrate European drone makers. It seems that North Korea either sought the information on drones to help its soldiers in Russia or to support its own development of drones.

It is highly probable that North Korea has deepened its collaboration with Russian hacker groups, and such a partnership allows North Korea to generate illicit revenue and potentially disrupt Europe’s defence infrastructure – especially if cyberattacks are synchronised with Russian military operations, as seen in Ukraine. ENISA concludes that North Korea’s cyber operations are now a central element of its geopolitical strategy and urges the EU and NATO to adopt a holistic approach to cyber resilience, industrial security and supply chain protection, treating North Korea not as a distant rogue actor but as a current threat to European security.

Past achievements in Europe-ROK cybersecurity cooperation 

The recent progress of security cooperation between the ROK and the EU is the Strategic Dialogue on Security Partnerships held in 2024. During the First EU-ROK Strategic Dialogue in November 2024, the two sides adopted the ROK-EU Security and Defence Partnership, a framework encompassing fifteen areas of collaboration. These include cybersecurity, countering hybrid threats, strategic communications and countering foreign information manipulation and interference (FIMI), the protection of critical infrastructure, space security and defence, human trafficking and transnational organised crime. Within this framework, cybersecurity has emerged as a cross-cutting and indispensable dimension, influencing nearly every other component of cooperation. The growing digital interdependence between Europe and South Korea underscores the strategic importance of aligning cyber policies and operational practices to address increasingly complex and state-sponsored cyber threats.

Even before this dialogue and adopted partnership, South Korea and EU member states have demonstrated notable progress in two principal areas of cybersecurity cooperation: joint cyber exercises and joint attribution of cyber threats. South Korea’s engagement in multilateral cyber exercises has been instrumental in enhancing operational interoperability. As the first Asian member of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), South Korea has participated in the Locked Shields Exercise since 2019. The ROK Cyber Operations Command has also taken part in the Netherlands-led CyberNet exercise since 2022, with the joint ROK-Netherlands team securing first place for three consecutive years, from 2022 to 2024. Additionally, in November 2023, the ROK Cyber Operations Command began participating in NATO’s Cyber Coalition Exercise, hosted by Allied Command Transformation (ACT). Similarly, the UK-ROK Strategic Cyber Partnership, signed in November 2023, deepened bilateral collaboration. In 2024, South Korea joined the UK-led Defence Cyber Marvel 3 (DCM3) exercise, where the joint UK-ROK team won first place. The following year, DCM4 was hosted for the first time outside of Europe – in South Korea – and once again, the UK-ROK team emerged victorious.

These achievements reflect a growing operational synergy and capability alignment between South Korea, the Netherlands and the UK within the cyber domain. In April 2023, eleven South Korean institutions – including the National Intelligence Service, Cyber Operations Command and several energy and financial organisations – participated in Locked Shields with over sixty personnel. The expansion of this engagement reportedly drew discontent from China, indicating the geopolitical sensitivity surrounding ROK-EU cyber cooperation.

In the area of strategic communication and public attribution of cyber threats, South Korea has increasingly coordinated with its European counterparts and other like-minded partners. Key examples include:

– 23 November 2023: a joint ROK-UK cybersecurity advisory on North Korean supply chain intrusions;

– 23 February 2024: a joint ROK-Germany advisory on DPRK cyber espionage; and,

– 26 July 2024: a joint ROK-UK-US advisory addressing DPRK espionage targeting the military and medical sectors.

Additionally, in 2024, South Korea collaborated with the Five Eyes alliance, Japan and Singapore to issue joint guidance on “Living off the Land” tactics, which exploit and bypass security and detection through stealthy cyber threats. Such initiatives have enhanced the visibility and credibility of South Korea’s cyber diplomacy, while aligning its strategic messaging with Western partners on shared cyber threat assessments.

Recommendations for deeper ROK-Europe cybersecurity cooperation

Building upon these developments, several policy initiatives can further consolidate the cybersecurity partnership between the EU and South Korea: 1) expanding joint cyber exercises; 2) issuing a joint Vision Statement and Information Fusion Centre; and 3) leveraging the NATO + IP4 Framework for Europe-ROK cybersecurity cooperation.

First, as like-minded democratic societies, both parties could consider developing a flagship “Euro–Pacific Cyber Defence Exercise” involving regular participation from both public and private sectors. This initiative could be complemented by tabletop exercises (TTX) that address strategic communication systems, crisis management mechanisms for hybrid threats, FIMI and disinformation countermeasures and even cyber aspects of space operations. Many of these themes are already embedded within the fifteen cooperation areas defined under the 2024 ROK-EU Security and Defence Partnership.

Second, to institutionalise and sustain cooperation, the EU and South Korea could issue a Euro-Pacific Cybersecurity Vision Statement and establish a Euro-Pacific Information Fusion Centre. Such a centre would enable more active sharing of cyber threat intelligence, strengthen early-warning mechanisms and facilitate rapid, coordinated responses to transnational cyber incidents.

Third, both sides should also explore ways to utilise the NATO + IP4 format to enhance synergies among Indo-Pacific partners and reinforce a rules-based international cyber order. Joint cybersecurity capacity-building projects – such as cyber official development assistance (ODA) programs for ASEAN member states – could serve as a practical avenue to extend cooperation beyond the transatlantic and Indo-Pacific regions.

Conclusion

From an institutional standpoint, there are no significant cultural or structural impediments to deepening cybersecurity cooperation between South Korea and the European countries. The principal challenges instead stem from Seoul’s diplomatic caution in navigating relations with major regional powers. While South Korea currently lacks a comprehensive national cybersecurity law and continues to face a shortage of skilled cyber professionals, these constraints cannot justify a passive approach. In this context, practical and operational collaboration should be prioritised over symbolic measures of public “naming and shaming” for malicious cyber actors. Indeed, South Korea’s cybersecurity and intelligence agencies have displayed a proactive operational posture, and thus, future cooperation with Europe would be most effectively advanced through direct collaboration among military and intelligence communities from Europe and South Korea.

Cybersecurity now stands as the connective tissue of the ROK-EU Security and Defence Partnership, binding diverse areas of cooperation under a shared strategic imperative. As cyber threats grow in sophistication and geopolitical entanglement, South Korea and Europe have both the capacity and the political rationale to pursue a more institutionalised, operationally grounded and forward-looking cybersecurity alliance. Strengthened joint exercises, enhanced information-sharing frameworks and coordinated capacity-building efforts will serve as essential pillars of this evolving Euro-Pacific cyber partnership.

__________