A Kansas City grand jury has indicted Rim Jong Hyok, a North Korean intelligence agent who allegedly used ransomware to attack the systems of health care providers in the United States, according to AP NewsThe State Department said Rim is part of a group called Andariel that is controlled by North Korea's intelligence agency, the Reconnaissance General Bureau. Rim is not in the custody of the U.S. government. The agency is Now offering a $10 million reward for information leading to his location or the location of a foreign agent “engaging in certain malicious cyber activities against critical U.S. infrastructure.”
A Kansas medical center alerted the FBI to an attack that blocked staff from accessing patient files and lab test results, as well as preventing them from operating hospital equipment with their computers, in 2021. It’s a common modus operandi for Rim’s Andariel group, which infiltrates a computer system and infects it with the Maui ransomware. The group then demands payment from its target and threatens to reveal sensitive information if they don’t pay. In the case of the Kansas hospital, the group demanded a ransom in bitcoin worth $100,000 within 48 hours. The group allegedly used the money it makes to buy more computers and servers to fund further cyberattacks.
The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Treasury Department issued a joint cybersecurity warning amid Andariel attacks on healthcare providers in 2022. “North Korean state-sponsored cyber actors likely assume that healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” they wrote. Federal investigators said they followed the ransom paid by the Kansas medical center through blockchains and discovered that someone had transferred the bitcoin to an address belonging to two Hong Kong citizens. According to court documents viewed by APThe money was then transferred to a Chinese bank and withdrawn from an ATM in China near the Sino-Korean Friendship Bridge that connects the country with North Korea.
Andariel and Rim are accused of infiltrating 17 entities in 11 states, including four defense contractors, two U.S. Air Force bases, and NASA. The group was reportedly able to remain in NASA’s computer system for three months and steal 17 gigabytes of classified information. During one of their operations targeting a U.S. defense contractor in November 2022, the State Department said the group was also able to extract more than 30 gigabytes of data including information about the material used in U.S. military aircraft and satellites.
