Blog
North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers
Hacking group known as “Andariel” used ransom proceeds to fund theft of sensitive information from defense and technology organizations worldwide, including U.S. government agencies.
“A grand jury in Kansas City, Kansas, returned an indictment on Wednesday charging North Korean national Rim Jong Hyok for his involvement in a conspiracy to hack and extort U.S. hospitals and other health care providers, launder the ransom proceeds, and then use these proceeds to fund additional computer intrusions into defense, technology, and government entities worldwide. Their ransomware attacks prevented victim health care providers from providing full and timely care to patients.”
“According to court documents, Rim and his co-conspirators worked for North Korea’s Reconnaissance General Bureau, a military intelligence agency, and are known to the private sector as ‘Andariel,’ ‘Onyx Sleet,’ and ‘APT45.’ Rim and his co-conspirators laundered ransom payments through China-based facilitators and used these proceeds to purchase internet infrastructure, which the co-conspirators then used to hack and exfiltrate sensitive defense and technology information from entities across the globe. Victims of this further hacking include two U.S. Air Force bases, NASA-OIG, and entities located in Taiwan, South Korea, and China. Related Andariel activity has been the subject of private sector reporting, and a cybersecurity advisory with updated technical indicators of compromise was published by the FBI, the National Security Agency, U.S. Cyber Command’s Cyber National Mission Force, the Department of the Treasury, the Department of Defense’s Cyber Crime Center, the Cybersecurity and Infrastructure Security Administration, and South Korean and United Kingdom partners today.”
“The Justice Department and the FBI are also announcing the interdiction of approximately $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by co-conspirators to carry out their malicious cyber activity. The FBI previously seized approximately $500,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions. In addition to these actions, the Department of State announced today a reward offer of up to $10 million for information leading to the location or identification of Rim. The State Department’s Rewards for Justice program has a standing reward offer for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.”
“Private sector partners are also taking other voluntary actions to limit the spread of Andariel-created malware. In partnership with the Department, Microsoft developed and implemented technical measures to block Andariel actors from accessing victims’ computer networks. Additionally, Mandiant is publishing research today that highlights its unique insights into Andariel’s tactics, techniques, and procedures. These actions by Microsoft and Mandiant were a significant part of the overall effort to secure networks, and they will help cybersecurity practitioners prevent, identify, and mitigate attacks from Andariel actors.”
Maui Ransomware and Money Laundering
“As alleged in the indictment, Rim worked for North Korea’s Reconnaissance General Bureau (RGB), a military intelligence agency, and participated in the conspiracy to target and hack computer networks of U.S. hospitals and other health care providers, encrypt their electronic files, extort a ransom payment from them, launder those payments, and use the laundered proceeds to hack targets of interest to the North Korean regime.”
“The Andariel actors used custom malware, developed by the RGB, known as ‘Maui.’ After running the maui.exe program to encrypt a ransomware victim’s computer network, the North Korean co-conspirators would extort the organization by leaving a note with a cryptocurrency address for a ransom payment.”
“The Andariel actors received ransom payments in a virtual currency and then laundered the payments with the assistance of Hong Kong-based facilitators. In at least one case, these Hong Kong facilitators converted ransom funds from cryptocurrency to Chinese yuan. The yuan was then accessed from an ATM in China in the immediate vicinity of the Sino-Korean Friendship Bridge, which connects Dandong, China, and Sinuiju, North Korea.”
Exfiltration of Sensitive Data from Companies and Government Agencies
“Rim and his co-conspirators used ransom proceeds to lease virtual private servers that were used to launch attacks against defense, technology, and other organizations, and to steal information from them. Victims of this further hacking included U.S. defense contractors, two U.S. Air Force bases, NASA-OIG, South Korean and Taiwanese defense contractors, and a Chinese energy company. The Andariel actors obtained initial access to victims’ networks by exploiting known vulnerabilities that had not been patched by the victims, including the widespread Log4Shell vulnerability. (Additional tactics, techniques, and procedures are available in the joint cybersecurity advisory released today.) The Andariel actors stole terabytes of information, including unclassified U.S. government employee information, old technical information related to military aircraft, intellectual property, and limited technical information pertaining to maritime and uranium processing projects.” (Source: US Department of Justice)