Washington — North Korean hackers allegedly targeted a number of U.S. hospitals and healthcare systems with ransomware as part of an illegal scheme to fund a covert information exfiltration campaign against American military and scientific entities, federal investigators revealed Thursday.
The international hacking campaign began in May 2021, when a hacking group tied to North Korea’s military intelligence agency — Reconnaissance General Bureau (RGB) — launched a ransomware attack against a Kansas hospital. The malware locked users out of X-ray and diagnostic imaging systems and electronic document management servers, prosecutors alleged in a newly unsealed indictment. Hackers also targeted hospitals, clinics and medical facilities in Arkansas, Connecticut, Florida and Colorado, as well as a manufacturing company in South Korea.
Rim Johg Kyok of North Korea was the only named defendant charged as part of the alleged conspiracy. Investigators said Rim and his co-conspirators, part of the hacking group Andariel, held the hospital’s computer system hostage until administrators paid a Bitcoin ransom. In exchange, the hackers gave the hospital decryption keys to unlock the servers.
The State Department is offering a $10 million reward for information leading to the location of Rim or other members of the malicious cyber group.
The FBI says it has seized online accounts used by co-conspirators to carry out their malicious activities, clawing back over $600,000 total in virtual currency proceeds from the ransomware attacks — which will be returned to ransomware victims.
A new cybersecurity advisory warns the state-sponsored cyber group “primarily targets defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambition.”
Prosecutors alleged the North Korean cybercriminals carried out campaigns against healthcare companies in Connecticut and Arkansas, a Florida hospital, and a Colorado medical clinic at various points in 2022. The attacks forced some of those healthcare providers to cancel patient appointments and demanded similar cryptocurrency payments.
Investigators said they tracked the Bitcoin payments to various accounts including those controlled by unnamed individuals living in Hong Kong.
According to the charging documents, the North Korean hackers targeted hospitals and health care companies to extort them with ransomware and then use the ransom payments to buy internet servers to attack U.S., South Korean and Chinese government entities.
By February 2022, prosecutors said the hacking group allegedly gained access to NASA’s computer system for over three months and stole over 17 gigabytes of unclassified data from the Office of the Inspector General, an independent body that monitors NASA’s compliance with government rules.
In April of that year, Andariel allegedly hacked into a computer system used at Randolph Air Force Base in Texas and extracted unclassified data from servers there.
Beginning in November 2022, the North Korean group allegedly gained access to a defense contracting company based in Massachusetts and took 30 gigabytes of data “including unclassified technical information about material used in military aircraft and satellites, much of which was from 2010 or earlier,” according to the indictment.
“We’ve seen [hackers] target information related to fighter aircraft and unmanned aerial vehicles, missile and missile defense systems, surveillance radar, and other radar systems,” a senior FBI official told reporters Thursday. “In nuclear, [we’ve seen hackers target] uranium processing and enrichment nuclear power plants, and in engineering, shipbuilding, marine engineering, robot machinery, additive manufacturing, and 3d printing machining processes and technology.”
Defense companies in Taiwan and South Korea were also victims of the hackers, who were active as recently as last year, investigators said.
The United Kingdom’s National Cyber Security Centre warned Thursday that Andariel is targeting organizations across the globe to steal classified technical information and intellectual property, in some cases launching ransomware attacks and hacking operations on the same day.