A North Korean government hacker, Rim Jong Hyok, was accused of participating in the Maui ransomware attacks on U.S. hospitals and healthcare organizations. The U.S. State Department will give a $10 million reward for any information that would help capture the hacker.
Rim Jong Hyok is a member of the North Korean hacking group called Andariel (APT45). The hacking group began its operation in 2009 performing activities under the cyber defensive operations of North Korea, mainly attacking military and government employees. The group’s main objectives are surveillance and data theft, particularly stealing sensitive defense and technology information. The hacking group additionally performs financially driven ransomware attacks to acquire funds for its cyber campaigns, which include ransomware attacks on U.S. hospitals and healthcare organizations.
The grand jury in a U.S. District Court in the District of Kansas indicted Hyok and was charged with one count of conspiracy to intentionally transmit a program, information, code, and command to destroy a protected computer with the goal of fund extortion and one count of conspiracy to perform money laundering. Hyok was included in the Most Wanted list of the Federal Bureau of Investigation (FBI).
The charges were associated with Hyok’s participation in Andariel’s hacking operations from May 2021 to April 2023 on critical infrastructure entities, such as hospitals and other healthcare providers. The Andariel hacking group was behind the ransomware attacks on five healthcare organizations, four defense contractors based in the U.S., the Office of Inspector General of the National Aeronautics and Space Administration, and two U.S. Air Force bases. Hyok and other Andariel hackers acquired unauthorized access to those systems, deployed the Maui ransomware, and tried to extort ransom from the victims. The ransom payments were then utilized for funding more malicious cyber attacks against U.S. and foreign defense contractors.
With the healthcare providers attacked, the computers and servers that were used for medical testing and electronic health records were encrypted. The encryption disrupted healthcare services, such as in an anonymous Kansas hospital in 2021. That hospital paid a $100,000 ransom to get back the stolen information. Officials from the Department of Justice and FBI reported that that money was recovered and will be given back to the victim. An attack on a U.S. defense contractor saw the theft of over 30GB of data, which includes unclassified data regarding satellites and military aircraft.
According to FBI Deputy Director Paul Abbate, Rim Jong Hyok and his co-conspirators used ransomware to attack hospitals and healthcare organizations in the U.S., then laundered the ransom money to fund the illicit activities of North Korea. Because of these unlawful actions, innocent lives are put at risk. The FBI and its partners will use all available tools to counteract criminal actors and keep American citizens safe.
Deputy Attorney General Lisa Monaco said that the current criminal charges against Rim Jong Hyok, one of the alleged North Korean hackers, show the relentless effort against malicious cyber attackers that target critical infrastructure. This recent action, in coordination with partners from the U.S. and other countries, indicates the continuing initiatives to use all the necessary tools to fight ransomware attacks, including HIPAA violations, make the attackers accountable, and prioritize victims.
The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other collaborators in South Korea, the US, and the UK issued a joint cybersecurity alert on July 25, 2024 warning that the hacking group poses an ongoing threat to various sectors around the world. Critical infrastructure entities were advised to put in place the mitigations mentioned in the alert.