A North Korean hacker who attacked US healthcare organizations with ransomware attacks and then used the financial returns to steal sensitive data from tech and defense companies around the world has been indicted by a grand jury in Kansas City, Kansas.
Rim Jong Kyok remains at large in North Korea, with the indictment standing as a demonstration that the US “will continue to deploy all the tools at our disposal to disrupt ransomware attacks, hold those responsible to account, and place victims first,” according to Deputy Attorney General Lisa Monaco.
“Today’s criminal charges against one of those alleged North Korean operatives demonstrates that we will be relentless against malicious cyber actors targeting our critical infrastructure,” Monaco stated.
Circumventing sanctions and fueling regime ambitions
Court documents show that Rim, along with others he collaborated with, worked for North Korea’s Reconnaissance General Bureau. This bureau works as a military intelligence agency that is tracked by cybersecurity firms as “Andariel,” “Onyx Sleet,” and “APT45.”
The group used a custom malware developed by North Korea known as “Maui” to target hospitals and other healthcare providers. Once the ransom was paid, the funds would be laundered through firms based in Hong Kong, converted into Chinese yuan, and then withdrawn from an ATM in the vicinity of the Sino-Korean Friendship Bridge, which connects the borders of Dandong, China, and Sinuiju, North Korea.
These funds would then be used to purchase internet infrastructure to be used in the exfiltration of data from military and governmental institutions across the globe, including a further two US Air Force bases, NASA-OIG, and multiple entities in Taiwan, South Korea, and China.
“Today’s indictment underscores our commitment to protecting critical infrastructure from malicious actors and the countries that sponsor them,” said U.S. Attorney Kate E. Brubacher for the District of Kansas. “Rim Jong Hyok and those in his trade put people’s lives in jeopardy. They imperil timely, effective treatment for patients and cost hospitals billions of dollars a year. The Justice Department will continue to disrupt nation-state actors and ensure that American systems are protected in the District of Kansas and across our nation.”
The UK’s National Cyber Security Center issued a joint warning with its partners in the US and Republic of Korea to warn against North Korea’s targeting of critical infrastructure to steal military and nuclear secrets.
Paul Chichester, NCSC Director of Operations, said, “The global cyber espionage operation that we have exposed today shows the lengths that DPRK state-sponsored actors are willing to go to pursue their military and nuclear programmes.”
“It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse.”
“The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place to prevent this malicious activity,” Chichester concluded.