The Seoul National University Hospital (SNUH) was hacked by North Koreans, according to the Korean National Police Agency (KNPA), who were after patients’ personal information and medical records.
The crime occurred between May and June of 2021, and the police have been conducting an analytical investigation to identify the offenders at that time. The following evidence led law enforcement to conclude that hackers from North Korea were responsible for the attack:
assaults’ identified intrusion techniques; IP addresses independently linked to North Korean threat actors; website registration information; attacks’ language and vocabulary; and so on.
South Korean media have speculated that the Kimsuky hacking organization was responsible for the incident. However, the police report makes no mention of any specific threat actors. The assault on the hospital’s internal network was launched from seven servers in South Korea and other nations.
According to the authorities, 831,000 people had their information compromised due to the incident; the vast majority of them were patients. In addition, 17,000 affected individuals are currently or formerly employed by hospitals.
The KNPA warned in a news release that North Korean hackers could target infrastructure across sectors. The importance of security patching, user access management, and data encryption, among other measures, was underlined.
The KNPA issued a stern warning, saying South Korea’s cyber security would be strictly protected through the sharing of information and collaboration with related authorities in an effort to thwart orchestrated cyber-attacks backed by national governments and to respond to them forcefully.
Hospital network attacks designed to steal patient information and demand ransom payments have been previously connected to North Korean hackers.
The United States has warned the healthcare industry to beef up its defenses against the North Korean effort by singling out the Maui ransomware threat as an example.
In the wake of this alert, Kaspersky researchers identified a subset of the Lazarus gang they call “Andariel” (also known as “Stonefly”) as being responsible for the Maui ransomware campaign.
Conclusion
In one of the worst cyberattacks on South Korean civilian infrastructure, North Korean hackers obtained the confidential medical records of hundreds of thousands of patients at a major Seoul hospital, authorities said on Wednesday. According to a KNPA press release, the threat actor attacked Seoul National University Hospital (SNUH)’s intranet between May and June 2021, utilizing seven domestic and international computer servers.
The press announcement says the SNUH server hack compromised personal data from 830,000 persons, including 810,000 patients and 17,000 former and present workers. Two years after the incident, the KNPA linked the campaign to North Korean hackers based on IP addresses, penetration methods, and North Korean terminology. The police told South Korean media that the hackers used a North Korean phrase meaning “Don’t provoke me” and a special character as the password. In South Korea, the phrase means “Don’t get hurt.” Local media linked the effort to Kimsuky, a notorious hacker syndicate, but the police press release did not.
