{ "id": "aefc4360-0609-4af2-bc67-e63844caf10d", "created_at": "2026-04-06T00:06:58.112264Z", "updated_at": "2026-04-10T13:12:22.962354Z", "deleted_at": null, "sha1_hash": "6d19659e9eee7eaf0d0f61cd7f5e0d1a8410c5c2", "title": "North Korean hackers breached major hospital in Seoul to steal data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3579985, "plain_text": "North Korean hackers breached major hospital in Seoul to steal data\r\nBy Bill Toulas\r\nPublished: 2023-05-10 · Archived: 2026-04-05 20:46:16 UTC\r\nThe Korean National Police Agency (KNPA) warned that North Korean hackers had breached the network of one of the\r\ncountry's largest hospitals, Seoul National University Hospital (SNUH), to steal sensitive medical information and personal\r\ndetails.\r\nThe incident occurred between May and June 2021, and the police conducted an analytical investigation during the past two\r\nyears to identify the perpetrators.\r\nAccording to the law enforcement agency's press release, the attack was attributed to North Korean hackers based on the\r\nfollowing information:\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nthe intrusion techniques observed in the attacks,\r\nthe IP addresses that have been independently linked to North Korean threat actors,\r\nthe website registration details,\r\nthe use of specific language and North Korean vocabulary\r\nLocal media in South Korea linked the attack to the Kimsuky hacking group, but the police's report does not explicitly\r\nmention the particular threat group.\r\nThe attackers used seven servers in South Korea and other countries to launch the attack on the hospital's internal network.\r\nAttack outline (police.go.kr)\r\nThe police said the incident resulted in data exposure for 831,000 individuals, most of whom were patients. Also, 17,000 of\r\nthe impacted people are current and former hospital employees.\r\nThe KNPA press release cautioned that North Korean hackers might try to infiltrate information and communication\r\nnetworks across various industries. It emphasized the need for enhanced security measures and procedures, such as\r\nimplementing security patches, managing system access, and encrypting sensitive data.\r\n\"We plan to actively respond to organized cyber-attacks backed by national governments by mobilizing all our security\r\ncapabilities and to firmly protect South Korea's cyber security by preventing additional damage through information sharing\r\nand collaboration with related agencies,\" warned the KNPA.\r\nMaui and Andariel\r\nNorth Korean hackers have been previously linked to hospital network intrusions aiming to steal sensitive data and extort a\r\nransom payment from healthcare organizations.\r\nMore specifically, the U.S. government has highlighted the Maui ransomware threat as such, warning the healthcare sector\r\nthat they need to raise their defenses against the North Korean operation.\r\nSoon after this warning, security researchers at Kaspersky linked the Maui ransomware operation to a specific cluster of\r\nactivity named 'Andariel' (aka 'Stonefly'), believed to be a sub-group of Lazarus.\r\nLazarus is known for targeting South Korean entities with ransomware since April 2021.\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/\r\nhttps://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data/" ], "report_names": [ "north-korean-hackers-breached-major-hospital-in-seoul-to-steal-data" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434018, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6d19659e9eee7eaf0d0f61cd7f5e0d1a8410c5c2.pdf", "text": "https://archive.orkl.eu/6d19659e9eee7eaf0d0f61cd7f5e0d1a8410c5c2.txt", "img": "https://archive.orkl.eu/6d19659e9eee7eaf0d0f61cd7f5e0d1a8410c5c2.jpg" } }