A grand jury in Kansas City has indicted Rim Jong Hyok, a North Korean intelligence operative who allegedly used ransomware to attack health providers’ systems in the US, according to AP News. The State Department said Rim is part of a group called Andariel that’s controlled by the North Korean intelligence agency, the Reconnaissance General Bureau. Rim is not in the US government’s custody. The agency is now offering a $10 million reward for information that would lead to his location or the location of a foreign operative who “engages in certain malicious cyber activities against US critical infrastructure.”
A Kansas medical center alerted the FBI about an attack that blocked personnel’s access to patient files and lab test results, as well as prevented them from operating hospital equipment with their computers, was back in 2021. It’s a common MO of Rim’s Andariel group, which would infiltrate a computer system and infect it with Maui ransomware. The group would then ask their target for payment and would threaten to release sensitive information if they don’t pay up. In the Kansas hospital’s case, the group demanded a ransom in Bitcoin worth $100,000 within 48 hours. The group allegedly used the money it gets to buy more computers and servers to fund more cyberattacks.
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury issued a joint cybersecurity warning in the midst of Andariel’s attacks on healthcare providers in 2022. “The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” they wrote. Federal investigators said they followed the ransom the Kansas medical center paid across blockchains and found that someone had transferred the Bitcoin to an address belonging to two Hong Kong nationals. Based on the court documents seen by AP, the money was then transferred to a Chinese bank and withdrawn from an ATM in China close to the Sino-Korean Friendship Bridge connecting the country to North Korea.
Andariel and Rim are being accused of infiltrating 17 entities across 11 states, including four defense contractors, two US Air Force bases and NASA. The group was reportedly able to stay in NASA’s computer system for three months and steal 17 gigabytes of classified information. During one of its operations that targeted a US defense contractor in November 2022, the State Department said the group was also able to extract over 30 gigabytes of data that include information on the material used in US military aircraft and satellites.