The Korean National Police Agency (KNPA) is blaming North Korea for a 2021 cyberattack on Seoul National University Hospital (SNUH), one of the South’s oldest and largest clinics. The incident, which took place between May and June of last year, resulted in the theft of sensitive medical information and personal details. At least 830,000 individuals, primarily SNUH patients, and 17,000 current and former hospital employees were affected by the breach.
After nearly two years of investigation, officers from the KNPA’s Cyber Investigation Bureau announced to local media last week that evidence from their forensic investigation – such as intrusion techniques, IP addresses linked to North Korean threat actors, website registration details and the use of specifically North Korean vocabulary – pointed directly to the DPRK.
Though the perpetrators have not yet been identified, the KNPA associated the attack with “Kimsuky,” a North Korean state-backed hacker group that primarily targets South Korean but also international think tanks, industry and nuclear power operators as well as the South Korean unification ministry for espionage purposes. The group is also known as “Velvet Chollima” and “Black Banshee.”
“Chinese IP addresses frequently used by Kimsuky were discovered during the investigation process,” an undisclosed police officer told JoongAng Daily on May 10. However, as a private security company had conducted the analysis for the investigation, “it cannot be said with certainty that Kimsuky is the real mastermind.”
North Korean hackers have been linked in the past to penetrations of hospital networks and thefts of sensitive data to extort ransom payments from healthcare institutions. The US government, in particular, has warned the healthcare sector about the global threat of North Korean ransomware.
Half of North Korea’s weapons development may be funded by cybercrimes
The theft of sensitive data and cryptocurrencies through sophisticated hackers has long been a hallmark of cybercriminals backed by the North Korean state. The Blockchain Data Platform Chainalysis estimated that North Korean hackers – and mainly the notorious Lazarus Group – embezzled USD 1.7 billion in digital assets in 2022 using tactics such as malware, phishing and social engineering.
In reports from the United Nations (UN) and private companies, North Korean hackers are accused of stealing billions of dollars from banks and cryptocurrency companies in recent years, thereby providing a major source of revenue for the regime. Just recently, the UN warned that Pyongyang was continuing to implement its five-year military development plan, which includes the pursuit of nuclear weapons and ballistic missile programs. In addition, Pyongyang has “greatly increased its missile launch activities in 2022 and 2023” – largely with the help of revenues from “cyberactivities,” it said.
On May 9, an unnamed White House official claimed that cyberattacks and cryptocurrency theft are funding at least half of North Korea’s weapons development as well as the country’s missile program.
It thus appears that hacking and cybercrime are not only an important source of revenue for Pyongyang, but ensure the regime’s survival. For South Korea, but also for other, and particularly Western, governments, disrupting North Korea’s cryptocurrency pipeline is therefore a massive security concern.
Edited by Robert Lauler.
