North Korean Hackers Breach Seoul National University Hospital Network

IT Services at the Seoul National University Hospital (SNUH) experienced a breach by North Korean hackers who stole sensitive medical information and personal details. The Korean National Police Agency (KNPA) conducted a two-year analytical investigation to identify the perpetrators and warned of possible future attacks on various industries.

The attack occurred between May and June 2021. The KNPA attributed the attack to North Korean hackers based on intrusion techniques used in the attacks, IP addresses that have been independently linked to North Korean threat actors, website registration details, and the use of specific language and North Korean vocabulary. While local media linked the attack to the Kimsuky hacking group, the police report did not explicitly mention the particular threat group.

The hackers used seven servers in South Korea and other countries to launch the attack on the hospital’s internal network. The data exposure affected 831,000 individuals, most of whom were patients. Additionally, 17,000 current and former hospital employees were impacted.

Attack outline (

The KNPA press release urged IT Services to take measures such as implementing security patches, managing system access, and encrypting sensitive data. The agency plans to mobilize all its security capabilities to respond to organized cyber-attacks backed by national governments and protect South Korea’s cybersecurity by preventing additional damage through information sharing and collaboration with related agencies.

Maui and Andariel

North Korean hackers have previously targeted healthcare organizations with ransomware to steal sensitive data and extort a ransom payment. The U.S. government has warned the healthcare sector to raise their defenses against the North Korean operation, specifically highlighting the Maui ransomware threat.

Security researchers at Kaspersky linked the Maui ransomware operation to a specific cluster of activity named ‘Andariel’ (aka ‘Stonefly’), believed to be a sub-group of Lazarus. Lazarus has been targeting South Korean entities with ransomware since April 2021.

Leave a Reply

Your email address will not be published. Required fields are marked *