Two separate fires in one week at data centers in Daejeon, South Korea, triggered a nationwide disruption of public services in late September and early October 2025. With 647 government systems simultaneously unavailable—including e-government, tax, and postal platforms—officials described the incident as a “digital paralysis,” underscoring structural weaknesses in architecture, backups, and operational risk controls.
Timeline and impact: Daejeon fires and nationwide outage
On 26 September, a major fire erupted at the National Information Resources Service (NIRS) facility in Daejeon and burned for over 22 hours. According to reports by CNN and The Korea Herald, the ignition point was lithium‑ion batteries used in UPS systems that were being moved to the basement. The response mobilized 170 firefighters and 63 vehicles.
NIRS underpins South Korea’s e-government, consolidating IT infrastructure for central and local agencies. The blaze caused 96 critical systems to fail and prompted a preventive shutdown of 551 additional services. With more than a third of approximately 1,600 government systems hosted at NIRS, the shock was systemic.
G‑Drive collapse: backup strategy and co-location failure
The most visible breakdown hit the government’s G‑Drive—an enterprise-style document platform mandated since 2018 for 750,000 public servants (roughly 30 GB per user). A critical architectural flaw—lack of geographically isolated backups—meant that primary data and backups were co-located and destroyed together. The Korea Herald reported a potential data loss of up to 858 TB. The Ministry of Personnel Management was among the hardest-hit, attempting restoration from endpoint copies, email, and paper archives.
On 3 October, a second fire broke out at the Lotte Innovate data center in the same city. DataCenter Dynamics noted it was extinguished in under an hour by 21 fire engines and 62 responders; preliminary indications again point to a battery-related ignition. The back-to-back incidents revived warnings issued after a nationwide outage in November 2023 to adopt twin-server (active‑active) designs with real-time mirroring. A 2024 review had already flagged hardware refresh delays and elevated failure rates.
Recovery and investigation: slow service restoration, legal scrutiny
By 3 October, only 115 of 647 affected systems were back online—about 18%—casting doubt on earlier two-week restoration targets. Police searched NIRS headquarters and UPS suppliers, and detained four individuals on suspicion of professional negligence. Authorities are also investigating the death of a 56-year-old senior official involved in recovery coordination; officials indicated the death was not connected to the fire’s root-cause inquiry.
Cyber dimensions: theories versus confirmed facts
Industry discussion referenced a June 2025 Phrack article, “APT Down: The North Korea Files,” by Saber and cyb0rg, alleging compromise of a Kimsuky (APT43/Thallium) actor and access to South Korean government networks, including Onnara, as well as stolen GPKI certificates and attack logs. The authors claim notices were sent to authorities starting 16 June 2025. These claims fueled speculation that the fires could relate to evidence destruction, including mention of battery suppliers. There is no official confirmation of any such linkage. Current government statements emphasize technical failure and negligence as primary lines of inquiry.
Expert analysis: resilience lessons for government and critical infrastructure
The crisis highlights the cost of architectural debt. Organizations should enforce a 3‑2‑1 or 3‑2‑1‑1‑0 backup strategy: keep three copies on two media types, with at least one offsite and offline/immutable, and regularly verify restores to ensure zero recovery errors. Define realistic RPO/RTO targets and continuously test them.
Adopt active‑active or active‑passive multi-site architectures with synchronous/asynchronous replication, eliminating single points of failure. Maintain documented DR runbooks and perform routine failover exercises and tabletop drills that include cyber and facilities failures.
Given the role of lithium‑ion systems in data centers, segregate battery rooms, UPS, and storage zones; deploy early off‑gas detection, thermal monitoring, and suppression systems engineered for battery hazards. Align with recognized guidance such as NFPA 855 and test hazard mitigation using methodologies like UL 9540A.
Strengthen PKI hygiene: maintain a live certificate inventory, enforce key rotation, secure CAs with hardware security modules, and ensure rapid CRL/OCSP updates and certificate revocation. Enhance monitoring via SOC with endpoint telemetry, identity analytics, and network segmentation following Zero Trust principles. Validate supplier risk, especially for power and facilities systems, through contractual SLAs and audits.
This event is a call to action. Conduct an out‑of‑cycle business continuity and disaster recovery audit, measure actual restore times from offsite backups, and rehearse failure scenarios spanning both cyber incidents and engineering outages. Investing in resilient, no‑single‑failure architectures is far less costly than the price of “digital paralysis.”
