The Seoul National University Hospital (SNUH), one of the major hospitals in the nation, had its network compromised by North Korean hackers who stole private information and critical medical data, the Korean National Police Agency (KNPA) said. The crime happened between May and June 2021, and the police have spent the last two years conducting an analytical investigation to find the culprits.
The following details were cited in the press statement by the law enforcement agency as evidence that North Korean hackers were responsible for the attack:
- the hacking methods seen in the assaults,
- registration information for the website,
- the IP addresses which have independently been connected to North Korean threat actors,
- the usage of dialects and words unique to North Korea
Although the police report does not explicitly name the specific threat organization, local South Korean media has connected the incident to the Kimsuky hacking gang. The attackers employed seven servers in South Korea and other nations to launch the attack on the hospital’s internal network.
According to the authorities, 831,000 people’s data were exposed as a result of the breach, the majority of whom were patients. The 17,000 affected individuals also include both current and previous hospital staff. The KNPA press release issued a warning that North Korean hackers may attempt to break into networks of information and communication in various businesses. It underlined the requirement for more robust security protocols and processes, such as monitoring system access, deploying security updates, and encrypting critical data.
“We plan to actively respond to organized cyber-attacks backed by national governments by mobilizing all our security capabilities and to firmly protect South Korea’s cyber security by preventing additional damage through information sharing and collaboration with related agencies,” warned the KNPA.
Prior hospital network hacks that sought to steal confidential information and demand a ransom from healthcare institutions have been attributed to North Korean hackers. More specifically, the U.S. government has called attention to the threat posed by the Maui ransomware, asking the healthcare industry to strengthen its defenses against the North Korean effort.
Security experts from Kaspersky quickly connected the Maui ransomware operation to a specific cluster of activity known as “Andariel” (also known as “Stonefly”), which is thought to be a sub-group of Lazarus. Since April 2021, Lazarus had a history of attacking South Korean organizations with ransomware.