North Korea blamed for hacking Seoul National University Hospital

Seoul National University Hospital in Jongno District, central Seoul [JOONGANG ILBO]

North Korean hackers were behind the 2021 cyberattacks on Seoul National University Hospital, South Korea’s police concluded Wednesday.

Officers from the Korean National Police Agency’s Cyber Investigation Bureau told local media that a group of North Korean agents were to blame for the personal information theft of some 830,000 people at the hospital from May to June 2021.

Both patients and hospital employees were among the 830,000 victims.

Pathology test results and other medical records were also leaked.

The South Korean police said it appeared the North Koreans were looking to steal the personal data of high-profile figures who visited the hospital for medical treatment.

Seoul National University Hospital, located in Jongno District, central Seoul, is one of the South’s four largest hospitals.

Police said they have yet to find any evidence that the leaked information was used for any further crimes.

The investigation goes back to July 2021, when the hospital first reached out to the police to inform them about the data theft.

After nearly two years of investigation, the South Korean police blamed North Korea, saying that the user names and email addresses saved on the servers used by the programmers were identical to those used by North Korean hackers in the past.

Many of the tactics used in the attack on Seoul National University Hospital also matched previous North Korean hacking operations, the police said.

Seven web servers in South Korea and abroad were deployed to infiltrate the hospital’s internal network, according to police.

The agents were said to have gone through multiple steps to avoid exposing their IP addresses.

The investigation took a long time largely due to the international collaboration required to track down the foreign IP addresses, police said.

Exactly which North Korean cybercrime group led the operation remains unclear.

Police, however, said they suspect it was “Kimsuky,” who was blamed for the 2014 cyberattack on South Korea’s state-backed Korea Hydro & Nuclear Power, a subsidiary of the Korea Electric Power Corporation.

“A private security company conducted the analysis [of the investigation], so it cannot be concluded for certain that Kimsuky is the actual mastermind,” one police officer said on the condition of anonymity Wednesday.

“However, Chinese IP addresses frequently used by Kimsuky were discovered during the investigation process.”

BY LEE SUNG-EUN, KIM MIN-JEONG [lee.sungeun@joongang.co.kr]