North Korean Hackers Breach Seoul National University Hospital

The Korean National Police Agency (KNPA) has issued a warning regarding a network breach at Seoul National University Hospital (SNUH), carried out by North Korean hackers.

The incident, which took place between May and June 2021, resulted in the theft of sensitive medical information and personal details.

Over the past two years, the police have conducted an analytical investigation to identify the perpetrators.

Attribution of the Attack to North Korean Hackers

The KNPA’s press release attributes the attack to North Korean hackers based on various factors. These include the observed intrusion techniques, independent linking of IP addresses to North Korean threat actors, analysis of website registration details, and the use of specific language and North Korean vocabulary.

While local media has associated the attack with the Kimsuky hacking group, the police report does not explicitly mention the specific threat group responsible.

Attack Outline and Data Exposure

The attackers utilized seven servers located in South Korea and other countries to carry out the breach on the hospital’s internal network.

As a result, 831,000 individuals, primarily patients, had their data exposed. Additionally, 17,000 current and former hospital employees were affected by the breach.

Call for Enhanced Security Measures to Combat Infiltration Attempts

The KNPA’s press release emphasizes the potential for North Korean hackers to target information and communication networks across various industries. To counter such threats, the agency highlights the necessity of implementing enhanced security measures and procedures.

These measures include applying security patches promptly, managing system access efficiently, and encrypting sensitive data to protect against future cyber-attacks.

“We plan to actively respond to organized cyber-attacks backed by national governments by mobilizing all our security capabilities and to firmly protect South Korea’s cyber security by preventing additional damage through information sharing and collaboration with related agencies,” warned the KNPA.

North Korean Hackers and Hospital Intrusions: Maui and Andariel Connections

North Korean hackers have previously been associated with infiltrating hospital networks to steal sensitive data and extort ransom payments from healthcare organizations. Specifically, the U.S. government has warned the healthcare sector about the Maui ransomware threat posed by North Korean operations.

Following this warning, security researchers at Kaspersky identified a specific cluster of activity named ‘Andariel’ (also known as ‘Stonefly’), believed to be a sub-group of the Lazarus hacking group.

The Maui ransomware operation was linked to this sub-group. Lazarus has a history of targeting South Korean entities with ransomware since April 2021.