A federal grand jury indicted a North Korean national for allegedly leading ransomware attacks in 2022 against U.S. hospitals.
The U.S. Department of Justice accuses North Korean national Rim Jong Hyok of working for the country's military intelligence agency that uses cyberattacks against healthcare providers to collect ransoms to fund more attacks against U.S. government agencies, according to the indictment filed in the U.S. District Court for the District of Kansas.
Hyok is accused of targeting 17 entities across 11 U.S. states. These ransomware attacks prevented victim health care providers from providing full and timely care to patients, according to the Justice Department.
U.S. hospitals targeted in the ransomware attacks include a hospitals in Kansas and Florida, a Colorado medical clinic and healthcare firms in Arkansas and Connecticut, according to the unsealed indictment.
An arrest of Rim is unlikely, the AP reported. The biggest outcome of the indictment is that it may lead to sanctions that could cripple the ability of North Korea to collect ransoms this way, which could in turn remove the motivation to conduct cyber attacks on entities like hospitals in the future, the AP reported, citing a cybersecurity analyst.
The government is offering a reward of up to $10 million for information on the hacker and other cybercriminals targeting critical infrastructure.
Rim allegedly worked for North Korea’s Reconnaissance General Bureau (RGB), a military intelligence agency, and participated in the conspiracy to target and hack computer networks of U.S. hospitals and other health care providers, encrypt their electronic files, extort a ransom payment from them, launder those payments, and use the laundered proceeds to hack targets of interest to the North Korean regime.
The Andariel actors used custom malware, developed by the RGB, known as “Maui.”
The Justice Department said two years ago it disrupted the North Korean group using Maui ransomware against U.S. hospitals and healthcare providers.
“North Korean hackers developed custom tools to target and extort U.S. health care providers and used their ill-gotten gains to fund a spree of hacks into government, technology, and defense entities worldwide, all while laundering money through China,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division in a statement. “The indictment, seizures, and other actions announced today demonstrate the Department’s resolve to hold these malicious actors accountable, impose costs on the North Korean cyber program, and help innocent network owners recover their losses and defend themselves.”
The U.S. government alleges that Rim and his co-conspirators laundered ransom payments through China-based facilitators and used these proceeds to purchase internet infrastructure, which the co-conspirators then used to hack and exfiltrate sensitive defense and technology information from entities around the world. Victims of this further hacking include two U.S. Air Force bases, NASA-OIG, and entities located in Taiwan, South Korea, and China.
In May 2021, a Kansas medical center was hit with the Maui ransomware variant as hackers encrypted the hospital's files and computers. A ransom note sent to the hospital demanded bitcoin payment in exchange for restoring access, according to the indictment. Federal investigators said they were able to follow the money by tracing blockchains.
The Justice Department said the FBI seized $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by co-conspirators to carry out their malicious cyber activity. The FBI also previously seized approximately $500,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions.
Related Andariel activity has been the subject of private sector reporting, and a cybersecurity advisory with updated technical indicators of compromise was published by the FBI, the National Security Agency, U.S. Cyber Command’s Cyber National Mission Force, the Department of the Treasury, the Department of Defense’s Cyber Crime Center, the Cybersecurity and Infrastructure Security Administration, and South Korean and United Kingdom partners today.