The US–ROK alliance stands at a critical juncture. Recent developments—ranging from contentious US–China trade tariff negotiations to the Immigration and Customs Enforcement (ICE) arrest of South Korean workers in Georgia—have led both publics and policymakers to reconsider what it truly means to be allies bound by blood (혈맹). While high-profile events dominate headlines, the durability of the alliance depends as much on the less visible details. These details, though often overlooked, form the building blocks of a resilient partnership. For the alliance to withstand the pressures of shifting geopolitics, it must evolve continuously, reinforcing itself one element at a time.

Cybersecurity represents one of these crucial, if frequently underappreciated, elements. For more than a decade, North Korean operators have exploited a uniquely Korean vulnerability: the Hangul Word Processor (HWP) format produced by Hancom Office. To observers outside South Korea, a file format may appear an unlikely source of strategic concern. Yet within South Korea, HWP remains the de facto standard across ministries, the military, critical industries, and academia. This deep reliance has transformed HWP into a durable attack vector—one that increasingly carries implications not only for South Korea’s domestic security, but also for the interoperability and trust at the core of the US–ROK alliance.

Furthermore, from a US perspective, HWP vulnerabilities highlight a potential weak link in broader regional defense planning. The effectiveness of US Forces Korea (USFK) is a critical factor not only in the defense of the ROK but also in the overall US posture for deterring aggression against Taiwan. If South Korean networks were compromised through persistent exploitation of HWP, the operational readiness of USFK could be degraded, thereby constraining Washington’s flexibility in a Taiwan crisis. In this sense, what appears to be a local software issue carries implications for alliance credibility and Indo-Pacific deterrence writ large.

This article argues that alliance resilience now depends on “format hardening” as much as force posture: Seoul and Washington must treat HWP not as a technical nuisance but as an operational vulnerability. Strengthening that single link—through safer defaults, faster patching, and shared document-security standards—would send a powerful signal that the US–ROK alliance can modernize from the byte level up.

Why HWP Matters in Korea—and to its Adversaries

While Microsoft Word and Adobe PDF file formats dominate elsewhere, HWP is ubiquitous in South Korea. It is used across government, critical industries, and academia—including ministries, the National Assembly, the military, telecommunications and finance sectors, and even defense contractors. This reliance creates a “target-rich environment”: adversaries can be confident that a malicious HWP attachment will almost certainly be opened by its intended recipient. That certainty makes the format an attractive tool for North Korean operators seeking access not only to domestic institutions but also to joint projects and alliance-linked supply chains.

The Exploit Record: A Timeline of Persistent Abuse

North Korean campaigns have exploited HWP repeatedly since at least 2013. These campaigns often coincided with moments of heightened political or military activity, underscoring how technical vulnerabilities can be weaponized to shape the broader strategic environment.They include:

2013–2014

• Malicious HWP files delivered via spearphishing exploited embedded PostScript/EPS content to install the ROKRAT backdoor, with technical analysis from Trend Micro. Targets included South Korean think tanks and defense researchers, often lured with documents on reunification or security policy.

2015

• CVE-2015-6585: a type confusion bug in hwpapp.dll/HWPX uncovered by FireEye, enabling reliable remote code execution. Exploited in targeted attacks against South Korean public-sector users.

2017–2019

• Multiple parsing flaws in Hancom Office/HWord disclosed by Cisco Talos, enabling crafted documents to execute arbitrary code. See the broader Talos index for related cases.

2020–2022

• CVE-2020-7882 (path traversal affecting Hancom components).
• CVE-2022-33896 (buffer underflow in HWord XML parsing), also tracked by Cisco Talos. Both were exploited in campaigns attributed to DPRK clusters including APT37 and Kimsuky.

2023–2025

• Ongoing phishing activity has used Korean-language lures, including campaigns documented by Securonix (DEEP#DRIVE, DEEP#GOSU).
• North Korean group APT37/ScarCruft continues to deploy ROKRAT and related implants, as shown in Seqrite’s “Operation HanKook Phantom” and summarized in The Hacker News.

The Adversary Set: Who Exploits HWP

North Korea’s offensive cyber apparatus is not monolithic; it is a constellation of specialized clusters that often share tooling, infrastructure, or even developers. Despite internal rivalries and evolving command structures, these groups converge on one consistent tactic—leveraging the HWP as a guaranteed entry point into South Korean networks. The actors below represent the principal hands behind those campaigns, each illustrating a slightly different slice of Pyongyang’s broader intelligence ecosystem.

• APT37/ScarCruft: Known for sophisticated zero-day use, long focused on South Korean defense, aerospace, and policy organizations. MITRE ATT&CK Group G0067 provides a comprehensive profile of its techniques and targets.
• Kimsuky: A prolific DPRK espionage cluster that targets journalists, academics, and policy institutes, frequently using Korean-language HWP lures. Documented comprehensively in MITRE ATT&CK Group G0094, and in joint government alerts (2023 CSA; 2024 CSA).
• Other DPRK Operators: Variants of ROKRAT and other custom implants have surfaced repeatedly across operations. For instance, the “Hangman” backdoor was linked to exploitation of CVE-2015-6585, illustrating how older vulnerabilities remain in rotation years after recovery.

All of these threat actors exploit the same principle: weaponize a trusted, locally entrenched format to gain initial access and establish footholds.

Why This Matters to the US–ROK Alliance

The risks posed by HWP vulnerabilities extend beyond Seoul’s domestic cyber posture. They reverberate across the alliance in three key ways:

1. Interoperability Risk: During combined exercises and joint planning, US and ROK personnel exchange documents routinely. If one side’s standard formats are exploitable, document sharing itself becomes a potential infection channel. An unpatched HWP parser vulnerability could, in theory, allow North Korean operators to pivot into alliance environments.
2. Defense Industrial Base Exposure: Korean defense contractors rely heavily on HWP for documentation and reporting. Infected files exchanged within joint development or procurement programs risk introducing backdoors into US supply chains and defense primes.
3. Operational Trust: Alliances depend on confidence. Persistent exploitation of HWP undermines trust in South Korea’s ability to secure sensitive exchanges—an especially acute concern as joint cyber operations become central to deterrence strategy. The risks are not confined to the peninsula. Because USFK is a core component of US contingency planning in the Indo-Pacific, compromises in HWP-dependent networks could reduce Washington’s flexibility in responding to crises beyond Korea, including Taiwan. As US agencies have warned in multiple joint CSAs, DPRK social-engineering campaigns directly target the communities supporting combined operations.

Beyond Patching: What “Good” Looks Like

A patching-only approach cannot address vulnerabilities tied to a widely used file format. A layered strategy is required, combining technical safeguards, procedural reforms, and alliance-level standards. As such multiple measures should be considered, such as:

1. Format Hardening: Hancom should be pressed to disable or sandbox risky features—especially embedded PostScript/EPS—by default, narrowing the parser’s attack surface.
2. Content Disarm & Reconstruction (CDR): Gateways should sanitize inbound HWP/HWPX files automatically, stripping or converting active content into vetted formats such as PDF/A or OOXML.
3. Conversion-Before-Open Workflows: Institutions should adopt “convert-before-open” policies, with audit logs for all conversions to support forensic review.
4. Patch Service Level Agreements (SLAs): Government bodies should commit to measurable timelines: for example, critical Hancom patches deployed within 72 hours. Regular vulnerability scans and centralized dashboards can enforce accountability.
5. Alliance Standards: US and ROK cyber authorities should issue joint guidance mandating EPS blocking, CDR deployment, and conversion workflows in cross-domain or exercise environments. Shared watchlists of DPRK tactics, techniques, and procedures (TTPs) should be distributed across ministries, CERTs, and contractors.

While none of these measures are yet codified in law, elements are already surfacing in pilot programs at the Korea Internet and Security Agency and in select defense networks. At a minimum, ministries could immediately deploy CDR at email gateways and adopt 72-hour patch SLAs for Hancom updates—two steps that demand minimal infrastructure change but sharply reduce first-click risk. Over time, Hancom should be pressed to disable or sandbox embedded PostScript/EPS by default, and US–ROK cyber authorities should align watchlists and document-handling standards across ministries and contractors.

Best Practices in Handling. Procedural habits matter as much as code. Ministries should require staff to convert unknown attachments to Portable Document Format Archival (PDF/A) before opening, verify the sender domain, and avoid circulating raw HWP files externally. Together, these behavioral and technical safeguards form the first line of defense against the next wave of document-based intrusions.

Alliance Mitigation Checklist

The following sample checklist illustrates how ROK ministries and alliance programs could operationalize these recommendations. Each line item represents an actionable control that can be implemented with existing technology—no new platform required.

For Republic of Korea Ministries and US-ROK Alliance Programs

1. Format Hardening

• Disable or sandbox embedded PostScript/EPS features in Hancom Office.
• Block EPS objects at gateways and require exception approvals.

2. Content Disarm and Reconstruction (CDR)

• Deploy CDR at email gateways and cross-domain guards.
• Strip macros and embedded objects from all HWP/HWPX files.
• Enforce “convert-before-open” policies with automatic logging for forensics.

3. Interoperability Standards

• Standardize on PDF/A or Office Open XML (OOXML) formats for alliance exchanges.
• Issue joint guidance for exercises and joint programs.

4. Patch Discipline

• Apply critical Hancom patches within 72 hours.
• Conduct weekly patch-compliance scans and report adoption via centralized dashboards.

5. Alliance Coordination

• Synchronize Democratic People’s Republic of Korea (DPRK) Tactics, Techniques, and Procedures (TTPs) watchlists across Computer Emergency Response Teams (CERTs).
• Conduct shared compliance audits and red-team drills.

Policy Implications: From Cybersecurity to Alliance Architecture

South Korea’s reliance on a domestically favored but globally obscure file format has created a persistent cyber vulnerability with direct implications for alliance architecture. HWP is not just software; it is an attack surface woven into the daily functioning of ROK ministries, contractors, and joint programs.

Yet the liability is reversible. If Seoul pushes Hancom toward aggressive hardening, deploys CDR by default across ministries, and enforces measurable patch compliance, it can turn this weakness into a model of resilience. Joint US–ROK standards for document handling would reinforce not only local defenses but also alliance trust.

The lesson, however, is broader: cybersecurity vulnerabilities rarely remain local. They ripple across alliances, supply chains, and operational confidence. Failure to address these vulnerabilities risks undermining not only South Korea’s defenses but also the credibility of US extended deterrence in Northeast Asia, where perceptions of readiness directly influence adversary calculations. Addressing the .HWP problem directly offers Seoul an opportunity not just to safeguard its own networks, but to reinforce its role as a high-trust partner within the US alliance architecture—and, by extension, to strengthen the credibility of the US posture in the wider Indo-Pacific.