Washington – North Korean hackers are suspected of targeting several US hospitals and healthcare systems ransomware as part of an illegal plan to finance a covert information exfiltration campaign against the American military and scientific entities, Federal investigators revealed.
The international hacking campaign began in May 2021, when a hacking group linked to North Korea’s military intelligence agency – the Reconnaissance General Bureau (RGB) – launched a ransomware attack against a Kansas hospital. The malware locked users out of X-ray and diagnostic imaging systems and electronic document management servers, prosecutors said in a newly unsealed indictment. Hackers also targeted hospitals, clinics and medical facilities in Arkansas, Connecticut, Florida and Colorado, as well as manufacturing companies in South Korea.
Rim Johg Kyok of North Korea is the only defendant charged as part of the alleged conspiracy. Investigators said Rim and co-conspirators, part of the hacking group Andariel, held the hospital’s computer system hostage until the administrator paid a Bitcoin ransom. In exchange, the hackers gave the hospital’s decryption key to unlock the server.
The State Department is offering a $10 million reward for information leading to the location of Rim or other members of the malicious cyber group.
The FBI says it has seized online accounts used by conspirators to carry out nefarious activities, with a total of $600,000 in virtual currency from ransomware attacks – which will be returned to ransomware victims.
A new cybersecurity advisory warns state-sponsored cyber groups “mainly target defense, aerospace, nuclear, and engineering entities to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions.”
Prosecutors alleged North Korean cybercriminals carried out a campaign against healthcare companies in Connecticut and Arkansas, a Florida hospital, and a Colorado medical clinic at various points in 2022. The attack forced some of these healthcare providers to cancel patient appointments and demand the same cryptocurrency payments. .
Investigators​​​​ said they tracked Bitcoin payments to various accounts including one controlled by an unnamed individual living in Hong Kong.
According to charging documents, North Korean hackers targeted hospitals and health care companies for ransomware and then used ransom payments to buy internet servers to attack US, South Korean and Chinese government entities.
In February 2022, prosecutors said the hacking group allegedly gained access to NASA computer systems for more than three months and stole more than 17 gigabytes of unclassified data from the Office of the Inspector General, an independent body that oversees NASA’s compliance with government regulations.
In April of that year, Andariel allegedly hacked into computer systems used at Randolph Air Force Base in Texas and extracted unclassified data from servers there.
Beginning in November 2022, a North Korean group allegedly gained access to a defense contracting company based in Massachusetts and took 30 gigabytes of data “including unclassified technical information about material used in military aircraft and satellites, much of it from 2010 or earlier,” according to the indictment. .
“We have seen (hacker) target information related to fighter jets and unmanned aerial vehicles, missile and missile defense systems, surveillance radars, and other radar systems,” a senior FBI official told reporters Thursday. “In nuclear, (we’ve seen hackers target) uranium processing and nuclear power plant enrichment, and in engineering, shipbuilding, marine engineering, robotics, additive manufacturing, and 3D printing processes and technologies.”
Defense companies in Taiwan and South Korea were also victims of hackers, who were active last year, investigators said.
Britain’s National Cyber ​​Security Center warned Thursday that Andariel is targeting organizations around the world to steal technical information and classified intellectual property, in some cases launching ransomware attacks and hacking operations on the same day.