KANSAS CITY, Kan. — A North Korean military intelligence operative has been indicted for orchestrating a conspiracy to hack into U.S. healthcare providers, NASA, U.S. military installations, and other international organizations. This operation involved stealing sensitive data and deploying ransomware to finance further cyberattacks, according to recent announcements by federal prosecutors.
The indictment, resulting from a grand jury in Kansas City, Kansas, charges Rim Jong Hyok with laundering funds through a Chinese bank, which were then used to acquire computer servers and facilitate additional cyberattacks on global defense, technology, and government sectors.
The cyberattacks targeting U.S. hospitals disrupted patient care, with Hyok allegedly focusing on 17 entities across 11 U.S. states, including NASA and various military installations, as well as defense and energy companies in China, Taiwan, and South Korea.
For over three months, Hyok and other members of North Korea’s Andariel Unit gained unauthorized access to NASA’s systems, extracting more than 17 gigabytes of unclassified information. They also infiltrated computer systems linked to defense contractors in Michigan and California, as well as Randolph Air Force Base in Texas and Robins Air Force Base in Georgia.
The malware used by Hyok’s group allowed them to transmit stolen information back to North Korean military intelligence, advancing the regime’s military and nuclear objectives. A senior FBI official highlighted that the group targeted sensitive information related to fighter aircraft, missile defense, satellite communications, and radar systems.
“North Korea employs these cybercrimes to evade international sanctions and finance its political and military goals, directly impacting citizens,” stated a local FBI agent.
Online court records do not indicate legal representation for Hyok, who is known to have lived in North Korea and worked with the military intelligence agency. A reward of up to $10 million has been announced for information leading to his capture or for details on foreign operatives aiming at critical U.S. infrastructure.
The Justice Department has pursued multiple North Korean hacking cases, often citing profit-driven motives that differentiate them from cybercriminals in other nations. Notably, in 2021, the department charged three North Korean programmers involved in various high-profile hacks, including a destructive attack on an American movie studio.
In this recent case, the FBI was informed by a Kansas medical center that suffered a cyberattack in May 2021, where hackers encrypted vital files and blocked access to patient records and essential hospital systems. The same ransomware variant also affected a Colorado healthcare provider.
A ransom note sent to the Kansas hospital demanded Bitcoin payments of about $100,000 to be transferred to a specified cryptocurrency address, warning that failure to comply would lead to public exposure of sensitive files.
Federal investigators traced funds through blockchains, discovering that a co-conspirator had transferred Bitcoin to a virtual currency address linked to two Hong Kong residents, which was eventually converted into Chinese currency and laundered through a Chinese bank.
In 2022, the Justice Department reported the seizure of approximately $500,000 in ransom payments, including a ransom linked to the hospital attack.
Although the likelihood of Hyok’s arrest remains low, experts suggest that the indictment could lead to sanctions that may hinder North Korea’s ability to collect ransoms, potentially decreasing the motivation to launch future cyberattacks on entities like hospitals.
Despite these developments, analysts fear that North Korea may increase cryptocurrency theft as a means of funding. The broader implications of these cyberattacks also raise concerns regarding China’s perspective, given that some of its entities have been among the victims.
This situation brings to light the persistent global threat posed by state-sponsored cyberattacks and the ongoing need for enhanced cybersecurity measures across critical infrastructure.
