Washington — North Korean hackers reportedly targeted a number of U.S. hospitals and health systems with ransomware as part of an illegal scheme to fund a covert campaign of information exfiltration against U.S. military and scientific entities, federal investigators revealed Thursday.
The international hacking campaign began in May 2021, when a hacking group linked to North Korea’s military intelligence agency, the Reconnaissance General Bureau (RGB), launched a ransomware attack on a hospital in Kansas. The malware locked out users of X-ray and diagnostic imaging systems and electronic document management servers, prosecutors alleged in a newly unsealed indictment. The hackers also targeted hospitals, clinics and medical facilities in Arkansas, Connecticut, Florida and Colorado, as well as a manufacturing company in South Korea.
Rim Johg Kyok of North Korea was the only defendant named in the alleged conspiracy. Investigators said Rim and his co-conspirators, members of the hacking group AndarielHackers held the hospital’s computer system hostage until administrators paid a ransom in Bitcoin. In exchange, the hackers gave the hospital the decryption keys to unlock the servers.
The State Department is offering a $10 million reward for information leading to the location of Rim or other members of the malicious cyber group.
FBI
The FBI says it has seized online accounts used by co-conspirators to carry out their malicious activities, recovering a total of more than $600,000 in virtual currency from the ransomware attacks – which will be returned to ransomware victims.
A new cybersecurity advisory warns that the state-sponsored cyber group “primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.”
Prosecutors alleged that North Korean cybercriminals carried out campaigns against health care companies in Connecticut and Arkansas, a Florida hospital and a Colorado medical clinic at various times in 2022. The attacks forced some of those health care providers to cancel patient appointments and demanded similar payments in cryptocurrency.
Investigators said they tracked Bitcoin payments to various accounts, including those controlled by anonymous individuals living in Hong Kong.
According to the indictment documents, North Korean hackers targeted hospitals and health care companies to extort them using ransomware, then used the ransom payments to purchase internet servers to attack U.S., South Korean and Chinese government entities.
In February 2022, prosecutors said the hacking group allegedly accessed NASA’s computer system for more than three months and stole more than 17 gigabytes of unclassified data from the Office of Inspector General, an independent agency that monitors NASA’s compliance with government rules.
In April of that year, Andariel allegedly hacked into a computer system used at Randolph Air Force Base in Texas and extracted unclassified data from the facility’s servers.
Beginning in November 2022, the North Korean group allegedly gained access to a Massachusetts-based defense contracting company and stole 30 gigabytes of data “including unclassified technical information about hardware used in military aircraft and satellites, much of which dated to 2010 or earlier,” according to the indictment.
“We saw [hackers] “Target information related to fighter aircraft and unmanned aerial vehicles, missile and missile defense systems, surveillance radars and other radar systems,” a senior FBI official told reporters Thursday. “In the nuclear domain, [we’ve seen hackers target] “Nuclear power plants for uranium processing and enrichment, as well as in engineering, shipbuilding, marine engineering, robotic machinery, additive manufacturing and 3D printing machining processes and technologies.”
Defense companies in Taiwan and South Korea have also been targeted by hackers, who were active as recently as last year, investigators said.
The UK’s National Cyber Security Centre warned Thursday that Andariel was targeting organisations around the world to steal classified technical information and intellectual property, in some cases launching ransomware attacks and hacking operations on the same day.
