North Korea-linked APT breached the Seoul National University Hospital

The Korean National Police Agency (KNPA) warns that a North Korea-linked APT group had breached the Seoul National University Hospital (SNUH).

The Korean National Police Agency (KNPA) revealed that a North Korea-linked APT group has breached one of the largest hospitals in the country, the Seoul National University Hospital (SNUH).

The security breach took place between May and June 2021 and was aimed at stealing sensitive medical information and personal details. Experts speculate the attackers were looking for information belonging to high-profile figures who got medical treatment at the hospital

According to South Korea’s National Police Agency, the nation-state actors gained access to the intranet of Seoul National University Hospital (SNUH) in 2021, and stole the personal information of about 830,000 patients and workers, including 17,000 current and former hospital employees

The attack did not impacted the operations at the South Korean hospital.

The attribution of the attack to North Korea is based TTPs observed by the National Police Agency, including IP addresses, the used of specific words in the North Korean vocabulary, and the anonymization techniques involved in the attacks. The South Korean Police did not attribute the attack to a specific APT group, however, local media speculate it was coordinated by the Kimsuky APT.

“The origin of the IP address and the method of address laundering used in the attack matched those of North Korean hacking groups used in their previous hacking attacks, officials said.” reported the YonHap News agency.

Kimsuky cyberespiona group (aka ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013. At the end of October 2020, the US-CERT published a report on Kimusky’s recent activities that provided information on their TTPs and infrastructure.

The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.

In the latest campaign, the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.

According to the Korean National Police Agency (KNPA)’s report, the state-sponsored hackers used at least seven servers in South Korea and other countries to launch the attack.

The KNPA also warns that North Korean APT groups might attempt to infiltrate information and communication networks across various industries. The agency urges organizations in the country to adopt a proper security posture, by implementing an efficient patch management strategy, enforcing managing system access, and encrypting sensitive data.

“We plan to actively respond to organized cyber-attacks backed by national governments by mobilizing all our security capabilities and to firmly protect South Korea’s cyber security by preventing additional damage through information sharing and collaboration with related agencies,” warned the KNPA.

“The National Police Agency is mobilizing all its security capabilities against organized nation-state operations while actively responding to them. Information sharing and collaboration with other agencies will allow to protect Korea and prevent damage.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Kimsuky)