North Korean hacker used hospital ransomware attacks to fund espionage
Federal prosecutors announced the indictment Thursday of a North Korean hacker accused of carrying out ransomware operations that targeted American health care facilities and used the proceeds of those operations to fund espionage efforts against the U.S. military and defense contractors.
Rim Jong Hyok is accused of using malware developed by North Korea’s military intelligence agency to target at least five American health care providers. One of those facilities, a hospital in Kansas that in 2021 lost access to a server hosting x-ray and other diagnostic imagery due a ransomware attack allegedly orchestrated by Rim, had to cancel patient appointments as a result, according to an indictment filed in a Kansas federal court.
American prosecutors allege that Rim used the ransom payments he received from American health care providers to fund attacks on at least 11 federal agencies and defense contractors. Those attacks aimed to exfiltrate information of interest to the North Korean regime and sought to obtain material about missile technology, drones and the development of fissile materials.
The operation successfully breached and exfiltrated data from NASA, unnamed defense companies in California, Michigan and Massachusetts, and a pair of U.S. Air Force bases in Texas and Georgia, according to the indictment. The operation also penetrated and stole data from defense contractors in Taiwan and South Korea, in addition to a Chinese energy company.
The operations targeting South Korean defense contractors may have netted the North Korean hackers data on an anti-aircraft laser weapon.
“The benefits of these activities are symbiotic,” a senior FBI official speaking on condition of anonymity told reporters during a Thursday call. “Without the ability to conduct state ransomware operations and receive payments, other cyber operations conducted by DPRK would be difficult to continue.”
The State Department announced Thursday that it would provide a $10 million reward for information about Rim and the Andariel hacking group.
A senior Department of Justice official said that U.S. authorities had disrupted a number of accounts linked to the infrastructure used to carry out the North Korean operation and noted that the investigation and disruption activity was only possible because the targeted hospital in Kansas reached out to and cooperated with FBI investigators.
According to a joint cybersecurity advisory published Thursday to coincide with the indictment, the North Korean hacking operation, which is linked to a group within the country’s military intelligence unit, relies on custom tools and malware to carry out their work.
The advisory, published by U.S. cybersecurity agencies together with counterparts in South Korea and the United Kingdom, notes that the group has evolved from carrying out destructive attacks on the United States and South Korea to conducting specialized ransomware and espionage operations.
The advisory’s description of information targeted by the group reads like a wishlist for the North Korean military: fighter aircraft and unmanned aerial vehicles; radar systems; uranium processing and enrichment; and heavy and light tanks, among other targets.
Microsoft said in a blog post published Thursday that the company first observed the group in 2014 and that its ability to develop a toolkit and add features to those tools makes it a persistent threat. The group historically relied on spearphishing to carry out its operations but now tends to use recently disclosed and unpatched vulnerabilities in its attacks, including a TeamCity vulnerability last year, according to Microsoft.
In recognition of the group’s persistent activities, Google on Thursday upgraded the hacking crew to its list of top-tier of threats, dubbing the North Korean entity as APT45.
“APT45 has a history of targeting government and defense companies around the world, but this indictment showcases that North Korean threats groups also pose a serious threat to citizens’ everyday lives and can’t be ignored or disregarded.” said Michael Barnhart, a principal analyst at Mandiant.
“Their targeting of hospitals to generate revenue and fund their operations demonstrates a relentless focus on fulfilling their priority mission of intelligence gathering, regardless of the potential consequences it may have on human lives,” he said.
