Federal prosecutors announced Thursday that a North Korean military intelligence operative, Rim Jong Hyok, has been indicted in a conspiracy to hack into American healthcare providers, NASA, U.S. military bases, and international entities. The indictment, filed by a grand jury in Kansas City, Kansas, accuses Rim of stealing sensitive information and installing ransomware to fund more attacks. The indictment alleges that Rim laundered the money through a Chinese bank and used it to buy computer servers and finance further cyberattacks on defense, technology, and government entities worldwide.
The indictment alleges that Rim, along with other members of the Andariel Unit of North Korea’s Reconnaissance General Bureau, accessed NASA’s computer system for over three months, extracting over 17 gigabytes of unclassified data. They also infiltrated the computer systems of defense companies in Michigan and California, as well as Randolph Air Force Base in Texas and Robins Air Force Base in Georgia.
The malware used in the attacks allowed the hackers to send stolen information to North Korean military intelligence, advancing the country’s military and nuclear ambitions. Federal prosecutors say the hackers targeted details of fighter aircraft, missile defense systems, satellite communications, and radar systems.
“While North Korea uses these types of cyber crimes to circumvent international sanctions and fund its political and military ambitions, the impact of these wanton acts have a direct impact on the citizens of Kansas,” said Stephen A. Cyrus, an FBI agent based in Kansas City.
Court records do not list an attorney for Rim, who has lived in North Korea and worked at the military intelligence agency’s offices in both Pyongyang and Sinuiju. A reward of up to $10 million has been offered for information leading to Rim or other foreign government operatives who target critical U.S. infrastructure.
The Justice Department has prosecuted multiple cases related to North Korean hacking, often alleging a profit-driven motive that sets the nation’s cybercriminals apart from state-sponsored hackers. In 2021, for instance, the department charged three North Korean computer programmers in a broad range of hacks, including a destructive attack targeting an American movie studio and the attempted theft and extortion of more than $1.3 billion from banks and companies around the world.
In this case, the FBI was alerted by a Kansas medical center that was hit in May 2021. Hackers encrypted the center’s files and servers, blocking access to patient files, laboratory test results, and computers needed to operate hospital equipment. A Colorado healthcare provider was affected by the same Maui ransomware variant.
A ransom note sent to the Kansas hospital demanded Bitcoin payments valued then at about $100,000, to be sent to a cryptocurrency address.
“Otherwise all of your files will be posted in the Internet which may lead you to loss of reputation and cause the troubles for your business,” the note reads. “Please do not waste your time! You have 48 hours only! After that the Main server will double your price.”
Federal investigators said they traced blockchains to follow the money: An unnamed co-conspirator transferred the Bitcoin to a virtual currency address belonging to two Hong Kong residents before it was converted into Chinese currency and transferred to a Chinese bank. The money was then accessed from an ATM in China next to the Sino-Korean Friendship Bridge connecting China and North Korea, according to court records.
In 2022, the Justice Department said the FBI seized approximately $500,000 in ransom payments from the money laundering accounts, including the entire ransom payment from the hospital.
An arrest of Rim is unlikely, so the biggest outcome of the indictment is that it may lead to sanctions that could cripple the ability of North Korea to collect ransoms this way, which could in turn remove the motivation to conduct cyberattacks on entities like hospitals in the future, according to Allan Liska, an analyst with the cybersecurity firm Recorded Future.
“Now, unfortunately, that will force them to do more cryptocurrency theft. So it’s not going to stop their activity. But the hope is that we won’t have hospitals disrupted by ransomware attacks because they’ll know that they can’t get paid,” Liska said.
He also noted that a Chinese entity was among the victims and questioned what the country, which is a major economic partner of North Korea, thinks of being targeted.
“China can’t be too thrilled about that,” he said.