A grand jury in Kansas City, Kansas, returned an indictment on Wednesday charging a fugitive North Korean national for his involvement in a conspiracy to hack and extort U.S. hospitals and other health care providers, launder the ransom proceeds, and then use these proceeds to fund additional computer intrusions into defense, technology, and government entities worldwide.
“North Korean hackers developed custom tools to target and extort U.S. health care providers and used their ill-gotten gains to fund a spree of hacks into government, technology, and defense entities worldwide, all while laundering money through China,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The indictment, seizures, and other actions announced today demonstrate the Department’s resolve to hold these malicious actors accountable, impose costs on the North Korean cyber program, and help innocent network owners recover their losses and defend themselves.”
According to court documents, Rim Jong Hyok and his co-conspirators worked for North Korea’s Reconnaissance General Bureau, a military intelligence agency, and are known to the private sector as “Andariel,” “Onyx Sleet,” and “APT45.”
Rim and his co-conspirators laundered ransom payments through China-based facilitators and used these proceeds to purchase internet infrastructure, which the co-conspirators then used to hack and exfiltrate sensitive defense and technology information from entities across the globe.
Victims of this further hacking include two U.S. Air Force bases, NASA-OIG, and entities located in Taiwan, South Korea, and China.
The Justice Department and the FBI are also announcing the interdiction of approximately $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by co-conspirators to carry out their malicious cyber activity.
The FBI previously seized approximately $500,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions.
In addition to these actions, the Department of State announced today a reward offer of up to $10 million for information leading to the location or identification of Rim.
The State Department’s Rewards for Justice program has a standing reward offer for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.
Rim worked for North Korea’s Reconnaissance General Bureau (RGB), a military intelligence agency, and participated in the conspiracy to target and hack computer networks of U.S. hospitals and other health care providers, encrypt their electronic files, extort a ransom payment from them, launder those payments, and use the laundered proceeds to hack targets of interest to the North Korean regime.
The Andariel actors used custom malware, developed by the RGB, known as “Maui.” After running the maui.exe program to encrypt a ransomware victim’s computer network, the North Korean co-conspirators would extort the organization by leaving a note with a cryptocurrency address for a ransom payment.
The Andariel actors received ransom payments in a virtual currency and then laundered the payments with the assistance of Hong Kong-based facilitators.
Rim and his co-conspirators used ransom proceeds to lease virtual private servers that were used to launch attacks against defense, technology, and other organizations, and to steal information from them.
The Andariel actors stole terabytes of information, including unclassified U.S. government employee information, old technical information related to military aircraft, intellectual property, and limited technical information pertaining to maritime and uranium processing projects.
Note: View the indictment here and view cryptocurrency seizure affidavit here.
DOJ Press [Release]
Comments
No comments on this item Please log in to comment by clicking here