[iNews24 Reporter Ahn Se-jun] A task that would have taken a skilled hacker days to complete by hand was done by AI in roughly 10 minutes, uncovering seven security vulnerabilities in a specific company's service.
On May 8, Choi Woo-hyeok, director of the Information Protection and Network Policy Office at the Ministry of Science and ICT, told a background briefing that a simulated penetration test of a company’s service using Anthropic’s generative AI model, Claude Opus 4.7, produced those results.
The ministry held the briefing immediately after a closed-door industry-academia-research expert meeting to discuss cybersecurity project response measures. At that meeting, officials heard from industry and outside experts and carried out a penetration demonstration. The government had not planned to release the meeting’s content, but Deputy Prime Minister Baek Gyeong-hoon ordered an unscheduled briefing, saying the public needed a detailed explanation.
Choi said officials compared results when an operator with hacker-level skills used AI versus when an ordinary staffer did. Performance varied sharply based on prompting ability, he said, and the exercise confirmed that AI could allow attackers to move far faster than manual intrusion methods.
The government plans to roll out medium- to long-term measures at the end of this month or in early June to address the growing threat of AI-enabled cyberattacks. Options under discussion include a patching framework to handle large-scale vulnerability discovery, security-focused AI models, and use of a domestic proprietary foundation model (abbreviated "dokpamo"), independent of whether Anthropic joins Project Glasswing.
Choi said many participants argued that high-performance AI systems such as Mitos could bring major changes to cybersecurity, while others cautioned the technology may be overhyped. Still, there was broad agreement that the rising risk of AI-powered attacks makes it difficult to respond using existing paradigms alone.
Below is a Q&A with Director Choi Woo-hyeok.
- What specifically did the demonstration of attacking a real service with AI involve?
We didn’t target vulnerabilities in a particular commercial solution. Instead, we demonstrated finding and exploiting vulnerabilities in a live service operated by a company. Typical examples included authentication bypasses on a website. Using those weaknesses, the AI was able to obtain an account and then execute the sequence of steps to log into the site with that account.
- Did the AI actually generate a new password and break in without knowing the existing one? Any other vulnerability findings?
Yes. We conducted the assessment with the company’s consent, and the process was verified in practice. In total, about seven vulnerabilities were discovered.
- Will you participate in Project Glasswing, the cybersecurity consortium led by Anthropic? Do you intend to join OpenAI’s security council, TAC?
We are continuing consultations with Anthropic about participating in Project Glasswing. We have confirmed that there is domestic participation in TAC, but the specific companies, institutions and numbers need to be verified with the parties involved. It also requires additional confirmation whether the government will participate.
The Ministry of Science and ICT is prepared to participate in any project that can raise information-protection standards in the private sector. The government is separately reviewing countermeasures. The plan to be released at the end of May or in early June may include related measures.
- Is Project Glasswing structured so domestic companies join individually, or through government channels?
Based on publicly available information, Glasswing includes 52 companies and institutions. The group counts organizations such as the UK AI Safety Institute (AISI) and the Linux Foundation among its members, as well as private firms. The Korean government is engaging through the AI Safety Institute and KISA; individual actions by domestic companies are separate.
- Could a security-specialized model or a domestic proprietary foundation model be a realistic alternative?
Companies developing domestic foundation models attended today’s meeting. There was consensus on the need to leverage domestic, independent AI systems from a security-sovereignty perspective. However, it’s still hard to assess how far and how quickly that can be achieved. We are at the stage of agreeing on the necessity of security-focused models.
- Will this involve whole-of-government cooperation with agencies like the National Intelligence Service or the National Security Office?
The National Security Office is providing partial leadership within a civil-military-public framework, so this can be viewed as a whole-of-government response. The Ministry of Science and ICT is responsible for private-sector measures. Regarding Anthropic’s Glasswing, we are engaging through the AI Safety Institute and KISA.
