N. Korean Hacker Charged in Ransomware Attacks on U.S. Hospitals

A grand jury in Kansas City, Kansas, returned an indictment on Wednesday charging North Korean national Rim Jong Hyok for his involvement in a conspiracy to hack and extort U.S. hospitals and other health care providers, launder the ransom proceeds, and then use these proceeds to fund additional computer intrusions into defense, technology, and government entities worldwide. Their ransomware attacks prevented victim health care providers from providing full and timely care to patients.

“Two years ago, the Justice Department disrupted the North Korean group using Maui ransomware to hold hostage U.S. hospitals and health care providers,” said Deputy Attorney General Lisa Monaco. “Today’s criminal charges against one of those alleged North Korean operatives demonstrates that we will be relentless against malicious cyber actors targeting our critical infrastructure. This latest action, in collaboration with our partners in the U.S. and overseas, makes clear that we will continue to deploy all the tools at our disposal to disrupt ransomware attacks, hold those responsible to account, and place victims first.”

“Rim Jong Hyok and his co-conspirators deployed ransomware to extort U.S. hospitals and health care companies, then laundered the proceeds to help fund North Korea’s illicit activities,” said Deputy Director Paul Abbate of the FBI. “These unacceptable and unlawful actions placed innocent lives at risk. The FBI and our partners will leverage every tool available to neutralize criminal actors and protect American citizens.”

“North Korean hackers developed custom tools to target and extort U.S. health care providers and used their ill-gotten gains to fund a spree of hacks into government, technology, and defense entities worldwide, all while laundering money through China,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The indictment, seizures, and other actions announced today demonstrate the Department’s resolve to hold these malicious actors accountable, impose costs on the North Korean cyber program, and help innocent network owners recover their losses and defend themselves.”

“Today’s indictment underscores our commitment to protecting critical infrastructure from malicious actors and the countries that sponsor them,” said U.S. Attorney Kate E. Brubacher for the District of Kansas. “Rim Jong Hyok and those in his trade put people’s lives in jeopardy. They imperil timely, effective treatment for patients and cost hospitals billions of dollars a year. The Justice Department will continue to disrupt nation-state actors and ensure that American systems are protected in the District of Kansas and across our nation.”

“The Air Force Office of Special Investigations (OSI) will continue to work alongside our law enforcement partners to root out malicious actors who seek to degrade the Department of the Air Force’s ability to protect the nation,” said Commander Brigadier General Amy S. Bumgarner of OSI. “Multiple OSI units, including one of our newly established National Security Detachments, which were established to provide counterintelligence, law enforcement and analytical support to protect technology at the earliest stages of advanced research and development, provided support to this investigation.”

“While North Korea uses these types of cybercrimes to circumvent international sanctions and fund its political and military ambitions, the impact of these wanton acts have a direct impact on the citizens of Kansas,” said Special Agent in Charge Stephen A. Cyrus of the FBI Kansas City Field Office. “These actions keep our families from getting the health care they need, slowing the response of our first responders, endangering our critical infrastructure and, ultimately, costing Kansans through ransoms paid, lost productivity, and money spent to rebuild our networks following cyber attacks. Today’s charges prove these cyber actors cannot act with impunity and that malicious actions against the citizens of Kansas and the rest of the United States have severe consequences.”

“The indictment of individuals responsible for breaching U.S. government systems, regardless of their location, demonstrates the dedication of the National Aeronautics and Space Administration Office of Inspector General (NASA-OIG), the Justice Department, and our law enforcement partners to relentlessly investigate, prosecute, and hold accountable those who believe they can operate in the shadows,” said Assistant Inspector General for Investigations Robert Steinau of NASA-OIG.

According to court documents, Rim and his co-conspirators worked for North Korea’s Reconnaissance General Bureau, a military intelligence agency, and are known to the private sector as “Andariel,” “Onyx Sleet,” and “APT45.” Rim and his co-conspirators laundered ransom payments through China-based facilitators and used these proceeds to purchase internet infrastructure, which the co-conspirators then used to hack and exfiltrate sensitive defense and technology information from entities across the globe. Victims of this further hacking include two U.S. Air Force bases, NASA-OIG, and entities located in Taiwan, South Korea, and China. Related Andariel activity has been the subject of private sector reporting, and a cybersecurity advisory with updated technical indicators of compromise was published by the FBI, the National Security Agency, U.S. Cyber Command’s Cyber National Mission Force, the Department of the Treasury, the Department of Defense’s Cyber Crime Center, the Cybersecurity and Infrastructure Security Administration, and South Korean and United Kingdom partners today.

The Justice Department and the FBI are also announcing the interdiction of approximately $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by co-conspirators to carry out their malicious cyber activity. The FBI previously seized approximately $500,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions. In addition to these actions, the Department of State announced today a reward offer of up to $10 million for information leading to the location or identification of Rim. The State Department’s Rewards for Justice program has a standing reward offer for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.

Private sector partners are also taking other voluntary actions to limit the spread of Andariel-created malware. In partnership with the Department, Microsoft developed and implemented technical measures to block Andariel actors from accessing victims’ computer networks. Additionally, Mandiant is publishing research today that highlights its unique insights into Andariel’s tactics, techniques, and procedures. These actions by Microsoft and Mandiant were a significant part of the overall effort to secure networks, and they will help cybersecurity practitioners prevent, identify, and mitigate attacks from Andariel actors.

Maui Ransomware and Money Laundering

As alleged in the indictment, Rim worked for North Korea’s Reconnaissance General Bureau (RGB), a military intelligence agency, and participated in the conspiracy to target and hack computer networks of U.S. hospitals and other health care providers, encrypt their electronic files, extort a ransom payment from them, launder those payments, and use the laundered proceeds to hack targets of interest to the North Korean regime.

The Andariel actors used custom malware, developed by the RGB, known as “Maui.” After running the maui.exe program to encrypt a ransomware victim’s computer network, the North Korean co-conspirators would extort the organization by leaving a note with a cryptocurrency address for a ransom payment.

The Andariel actors received ransom payments in a virtual currency and then laundered the payments with the assistance of Hong Kong-based facilitators. In at least one case, these Hong Kong facilitators converted ransom funds from cryptocurrency to Chinese yuan. The yuan was then accessed from an ATM in China in the immediate vicinity of the Sino-Korean Friendship Bridge, which connects Dandong, China, and Sinuiju, North Korea.

Exfiltration of Sensitive Data from Companies and Government Agencies

Rim and his co-conspirators used ransom proceeds to lease virtual private servers that were used to launch attacks against defense, technology, and other organizations, and to steal information from them. Victims of this further hacking included U.S. defense contractors, two U.S. Air Force bases, NASA-OIG, South Korean and Taiwanese defense contractors, and a Chinese energy company. The Andariel actors obtained initial access to victims’ networks by exploiting known vulnerabilities that had not been patched by the victims, including the widespread Log4Shell vulnerability. (Additional tactics, techniques, and procedures are available in the joint cybersecurity advisory released today.) The Andariel actors stole terabytes of information, including unclassified U.S. government employee information, old technical information related to military aircraft, intellectual property, and limited technical information pertaining to maritime and uranium processing projects.

Assistant U.S. Attorneys Ryan Huschka and Chris Oakley for the District of Kansas and Trial Attorneys Neeraj Gupta and George Brown of the National Security Division’s National Security Cyber Section are prosecuting the case.

The FBI continues to investigate Andariel’s hacking and money laundering activities. The Air Force Office of Special Investigations, the Department of Defense Cyber Crime Center, and NASA-OIG provided valuable assistance.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt.

View previous joint cybersecurity advisories from CISA here.

View previous joint cybersecurity advisories from Department of Defense here.

View previous cryptocurrency seizure announcement here.

Public Release. More on this here.