The U.S. State Department on Thursday offered a $10 million bounty for “information leading to the identification or location” of a dangerous North Korean hacker known as Rim Jong-hyok.
Federal prosecutors on Thursday indicted Rim for ransomware attacks against American hospitals.
The State Department identified Rim as “a national of the Democratic People’s Republic of Korea (DPRK) who is associated with a malicious cyber group known as Andariel.”
“The Andariel group is controlled by the DPRK’s military intelligence agency, the Reconnaissance General Bureau, which has primary responsibility for the DPRK’s malicious cyber activities and is also involved in the DPRK’s illicit arms trade,” the statement explained.
The State Department noted that U.S. law enforcement has linked Andariel to attacks against “five healthcare providers, four U.S.-based defense contractors, two U.S. Air Force bases, and the National Aeronautics and Space Administration’s Office of Inspector General.”
A grand jury in Kansas City, Kansas, indicted Rim on Thursday for attacking an unnamed Kansas hospital with ransomware, which renders the victim’s data inaccessible unless they pay a ransom to the hackers.
The hospital in question reportedly paid $100,000 in Bitcoin to recover its data. Fortunately, the Department of Justice (DOJ) was able to recover the ransom, along with ransom paid by a Colorado healthcare provider after a similar attack.
Both attacks used the same variant of a dangerous ransomware program called Maui, which is popular with North Korean hackers, especially when they attack healthcare providers. The urgency of accessing patient data in a timely manner makes big hospitals and clinics inviting targets for ransomware.
Maui is unusual among ransomware packages because it requires manual operation by the hackers, rather than exploding automatically when a user clicks on a virus-laced file. This may help to make Maui’s encryption harder to defeat because the hackers take a direct hand in locking up the data and help the hackers evade security measures because they manually target data files for kidnapping.
The Kansas indictment charged Rim with laundering ransom money from the hospital attack through “China-based facilitators” and using the loot to finance further cybercrime against targets around the world. The DOJ said one of the attacks financed by Rim in 2022 extracted “more than 30 gigabytes of data” from a U.S. defense contractor, including data on the materials used in military aircraft and satellites. Fortunately, the data was unclassified and largely outdated.
“While North Korea uses these types of cybercrimes to circumvent international sanctions and fund its political and military ambitions, the impact of these wanton acts have a direct impact on the citizens of Kansas,” Kansas City FBI agent Stephen A. Cyrus said. The indictment noted that patient treatment was directly affected by the assault on the hospital’s computer system.
A senior FBI official told reporters on background that North Korea aggressively uses the proceeds from ransomware attacks to finance other cybercrimes and “further their larger military and nuclear program objectives.”
“Without the ability to conduct these ransomware operations and receive payments, other cyber operations conducted by DPRK would be difficult,” the official said.
COMMENTS
Please let us know if you're having issues with commenting.