Cyber Incident Victim: Seoul National University Hospital
Date:
May 2021
Location:
South Korea
Summary
North Korean hackers breached a major South Korean hospital, resulting in the theft of sensitive medical and personal data impacting approximately 831,000 individuals, predominantly patients, alongside 17,000 current and former employees. The intrusion, attributed to North Korean actors through analysis of attack techniques, infrastructure tied to prior operations, linguistic patterns, and server registrations, leveraged seven servers across multiple countries to infiltrate the hospital's network. While local media associated the incident with the Kimsuky group, authorities did not explicitly confirm this attribution. The breach aligns with broader North Korean cyber activities targeting healthcare entities, including ransomware operations linked to clusters like Andariel and Lazarus.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between May and June 2021, North Korean hackers breached the internal network of Seoul National University Hospital (SNUH), one of South Korea’s largest healthcare institutions. The intrusion persisted for approximately two months before being discovered, though the exact detection method remains unspecified in public reports. The attackers utilized seven servers located in South Korea and other unidentified countries to facilitate their operations. During this period, they exfiltrated sensitive medical information and personal details belonging to 831,000 individuals, predominantly patients, with an additional 17,000 records compromised from current and former hospital employees. The Korean National Police Agency (KNPA) conducted a two-year analytical investigation concluding in 2023, attributing the attack to North Korean threat actors based on technical evidence including intrusion patterns, IP addresses historically linked to North Korean operations, website registration artifacts, and linguistic analysis revealing North Korean vocabulary in attack infrastructure. While South Korean media outlets associated the incident with the Kimsuky hacking group, KNPA’s official findings did not explicitly name a specific threat actor.
The breach underscored North Korea’s persistent targeting of South Korean critical infrastructure, particularly healthcare entities holding valuable personal data. KNPA’s May 2023 public warning highlighted concerns over continued state-sponsored cyber campaigns against multiple industries, urging enhanced security measures such as prompt patch management, strict access controls, and data encryption. The agency pledged coordinated responses with domestic and international partners to mitigate future attacks through intelligence sharing and operational collaboration. This incident aligned with broader patterns of North Korean cyber activity, including the U.S.-identified Maui ransomware operations targeting healthcare providers for extortion and data theft. Security researchers at Kaspersky later linked Maui to the Andariel cluster, a subgroup of the Lazarus hacking collective known for ransomware campaigns against South Korean organizations since April 2021. The SNUH compromise demonstrated operational overlaps with these campaigns, though direct attribution to Lazarus or its subgroups was not confirmed in KNPA’s public assessment. Financial or operational disruptions to hospital services were not disclosed, with primary impacts confined to data exposure affecting nearly 850,000 individuals.