Posted on May 10, 2023 at 3:57 PM
The Korean National Police Agency (KNPA) has warned about the heightened threat North Korean hackers pose. The agency has warned that hackers in the country had infiltrated one of the largest hospitals in the country, known as the Seoul National University Hospital (SNUH).
North Korean hackers target one of the largest hospitals in Seoul
North Korean hackers have been targeting the healthcare industry in South Korea. The hackers gained access to the Seoul National University Hospital and managed to steal sensitive medical and personal details. The theft of the information is concerning due to its sensitive nature.
The hacking incident occurred two years ago, between May and June 2021. Law enforcement authorities in Seoul have been investigating the matter over the last two years to determine the threat actor group behind the incident.
A press release by the police on the analytical investigation said that the attack was linked to North Korean hackers. The police shared some details of the attack that proved that a North Korean hacking group was behind the exploit. The analytical investigation looked at the intrusion techniques detected in these attacks.
The investigation exposed IP addresses independently linked to hackers operating from North Korea. It has also looked into the registration details for the website and determined that it is linked to North Korea. An analysis of the language used in the attack showed that the hackers used a specific language and vocabulary unique to North Korea.
Local media reports in South Korea have linked this exploit to the Kimsuky threat actor group. However, reports by the police have not mentioned any particular threat actor group responsible for the exploit. North Korea is home to some of the most notorious hacking groups that can take down critical infrastructure and paralyze essential services.
The attackers in question used seven servers in South Korea and other countries. These servers were used to conduct this attack on the hospital’s internal network. According to the police, this matter resulted in data exposure for 831,000 individuals, most of whom were patients at the hospital.
The 17,000 people that have been affected by this exploit are current and former employees at the hospital. A press release by the KNPA has also issued a cautionary statement on the matter, saying that hackers in North Korea might attempt to infiltrate information and communication networks across different industries.
According to KNPA, there was a need to install advanced security systems to prevent such attacks from happening again. Some security measures and procedures that could be adopted include setting up security patches, managing system access, and encrypting sensitive data.
The KNPA has also said that it will be responding to cyberattacks with the support of the national government by using its security capability to safeguard the cybersecurity sector in South Korea. Protecting the sector would guarantee no significant damage caused by these attackers when they share information and partner with the related agencies.
The KNPA warning also said, “We plan to actively respond to organized cyber-attacks backed by national governments by mobilizing all our security capabilities and to firmly protect South Korea’s cyber security by preventing additional damage through information sharing and collaboration with the related agencies.”
North Korean hackers targeting South Korea
North Korean hackers have been actively launching hacking attacks against South Korea. These hackers have been previously linked to a cyberattack against a hospital network to steal sensitive data from the platform and extort a ransom payment from the healthcare organization.
One of the notorious hacking operations linked to North Korea involves the Maui ransomware threat. The US government issued a warning about Maui saying that the healthcare sector needed to remain vigilant and ensure it is not compromised by these hackers. The North Korean operation targets weak defence systems to launch hacking attacks.
After the US issued this warning, cybersecurity researchers at Kaspersky associated the Maui ransomware operation to a cluster of activities known as “Andariel” or Stonefly. The activities conducted by these groups are believed to have originated from the Lazarus group.
The Lazarus hacking group is linked to a wide range of attacks against South Korean institutions. These entities have been linked to ransomware exploits since April 2021, and they tend to target a wide range of industries.