A North Korean hacker who targeted US healthcare organizations with ransomware attacks and then used the financial proceeds to steal sensitive data from technology and defense companies around the world has been indicted by a grand jury in Kansas City, Kansas.
Rim Jong Kyok remains at large in North Korea, and the indictment is proof that the U.S. “will continue to use all the tools at our disposal to disrupt ransomware attacks, hold those responsible accountable, and put victims first,” said Deputy Attorney General Lisa Monaco.
“Today’s criminal charges against one of these alleged North Korean operatives demonstrate that we will take relentless action against malicious cyber actors who target our critical infrastructure,” Monaco said.
Circumventing sanctions and fueling regime ambitions
Court documents show that Rim, along with others he worked with, worked for North Korea’s Reconnaissance General Bureau, a military intelligence agency tracked by cybersecurity firms as “Andariel,” “Onyx Sleet,” and “APT45.”
The group used a customized malware developed by North Korea, known as “Maui,” to attack hospitals and other healthcare providers. Once the ransom was paid, the funds were laundered through companies based in Hong Kong, converted into Chinese yuan, and then withdrawn from an ATM near the Sino-Korean Friendship Bridge, which connects the borders of Dandong, China, and Sinuiju, North Korea.
These funds would then be used to purchase internet infrastructure used in the smuggling of data from military and government agencies around the world, including two additional US Air Force bases, NASA-OIG, and multiple entities in Taiwan, South Korea, and China.
“Today’s indictment underscores our commitment to protecting critical infrastructure from malicious actors and the countries that sponsor them,” said U.S. Attorney Kate E. Brubacher for the District of Kansas. “Rim Jong Hyok and those in his cadre are putting people’s lives at risk. They jeopardize timely, effective treatment for patients and cost hospitals billions of dollars each year. The Department of Justice will continue to disrupt nation-state actors and ensure that American systems are protected in the District of Kansas and across our country.”
The UK’s National Cyber Security Centre, along with its partners in the US and the Republic of Korea, has issued a warning about North Korea’s attacks on critical infrastructure to steal military and nuclear secrets.
Paul Chichester, NCSC Director of Operations, said: “The global cyber-espionage operation we have exposed today shows the lengths to which DPRK state-sponsored actors are prepared to go in pursuit of their military and nuclear programmes.”
“It should serve as a reminder to critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they store on their systems to prevent theft and misuse.”
“The NCSC, along with our US and Korean partners, strongly encourages network defenders to follow the guidance in this advisory to ensure they have strong protections in place to prevent this malicious activity,” Chichester concluded.