A North Korean hacker responsible for a trail of massive damage to hospitals and the US military has been unmasked, as a federal grand jury has indicted Rim Jong Hyok in a 2022 string of thefts of data from the US government and ransomware attacks in the healthcare sector.
Working with “unnamed co-conspirators,” the North Korean hacker financed these operations by targeting hospitals with ransomware attacks. The proceeds from ransom payments were then used to break into networks at two Air Force bases, four US defense contractors and NASA’s inspector general office among other targets.
North Korean hacker targeted string of high-profile victims
Rim and other North Korean hackers were ultimately seeking design information about military vehicles and weapons as well as materials related to uranium processing, also targeting defense contractors in Singapore and Taiwan for this purpose. But as is common with North Korea’s state-sponsored hacking groups, they used cyber crime to raise money. In this case, the hackers were particularly focused on ransomware attacks targeting vulnerable hospitals and patient care facilities thought to be readily pressured into making a payment. In total the group is accused of targeting 17 organizations across 11 states.
The indictment states that the North Korean hackers broke into the networks of Randolph Air Force Base in Texas and Robins Air Force Base in Georgia, along with NASA and four unnamed defense contractors over a three-month period in 2022. The group also reportedly targeted an energy company in China, something of a surprise given the “special relationship” between the two countries and that the extorted funds were reportedly laundered through a Chinese bank.
The North Korean hackers are allegedly direct members of the “Andariel Unit” of the country’s Reconnaissance General Bureau military intelligence agency, rather than the sort of civilian contractors that the Chinese government sometimes turns to (and that also sometimes moonlight in ransomware attacks and general cyber crime for profit). Rim is believed to still be in North Korea. A $10 million bounty has been issued for information that could lead to his capture, though that will likely not come into play unless he opts to ever leave the country. While these indictments almost never lead to arrests, they can be used as a foundation to deploy new sanctions against the country.
Targeting foreign hospitals has become something of a major funding source and “go-to” for North Korean hackers, who went on a similar spree of ransomware attacks in 2021 that also drew indictments for three of the country’s nationals. That cluster of attacks involved the Maui ransomware and impacted patient care at hospitals in Colorado and Kansas.
State-sponsored NK Hackers responsible for some record-setting ransomware attacks
The news of Rim’s indictment was accompanied by a new joint cybersecurity advisory from CISA and other agencies issued on July 25, warning that multiple groups of state-sponsored North Korean hackers are highly active and continue to be focused on healthcare organizations as their primary target. These groups have also been behind recent ransomware attacks in Japan and India.
While criminal hackers have mostly shifted to phishing, social engineering and spraying stolen credentials as their preferred way into target systems, the North Korean hackers are noted for scanning for known vulnerabilities (such as Log4J) and pursuing targets that are behind on their patching. The CISA advisory notes that the Andariel group does not seem to have a good command of English and frequently has major typos in its malware and logged commands, which shows that it is using flexible unscripted approaches but also might be identified by them as they tend to repeat the same mistakes (eg “Microsoft Cooperation” in a number of different samples).
The agencies have not provided a total of financial damage from the ransomware attacks, but did indicate that they were able to claw back a total of about $600,000 in ransom payments and have returned the money to its rightful owners. From what information is available, the North Korean hackers seem to demand hundreds of thousands of dollars in ransom from the healthcare organizations that they hit.
Along with other groups, most notably Lazarus, North Korean hackers have been responsible for a great deal of the money lost to ransomware attacks in recent years. Since 2017 these groups have collectively raked in at least several billion dollars from their criminal activities, and have had “banner years” recently in stealing hundreds of millions in crypto by targeting decentralized finance platforms. Security analysts have noted that the North Korean hackers are more reckless and brazen than their peers, likely because they have no fear at all of being identified or caught; while criminal groups in Russia enjoy a great deal of leeway so long as they stick to foreign targets, on occasion they do cross lines with their activity and see domestic law enforcement action against them.
Erich Kron, Security Awareness Advocate at KnowBe4, notes that the North Korean hackers have used a combination of phishing and vulnerability exploitation over their long history and that heavily targeted organizations must be ready for both approaches: “It is no surprise that the lure of the big dollar payouts from ransomware attacks has enticed the North Korean government to start playing the game. Due to the significant number of sanctions placed on North Korea, they have become quite adept with cyberattacks, helping them to fund their operations. In addition to attacks for financial gain, they are taking advantage of the modern form of espionage through cyberattacks. No longer do spies have to keep a microfilm camera in their shoes, risking interception and prosecution, information can now be stolen by people on an entirely different continent while sitting in an air-conditioned room, without putting anyone at risk. Because we store so much information digitally, it’s important that organizations ensure the data they process and store is protected against exfiltration. Because of the lifesaving nature of hospitals and medical facilities, they have been a target for ransomware actors for some time now. If successful, healthcare organizations face huge hurdles and may end up being unable to provide lifesaving services to its patients. Because the stakes are so high, and because time is such a critical component in healthcare, attackers know that the likelihood that the victims will pay is relatively high.”
“Defending against ransomware is not easy, however the risk of a successful infection can be significantly reduced by training employees how to spot phishing attacks, employing good endpoint protection, having good, isolated backups, and having good data leakage prevention controls in place. Because email phishing is responsible for a large majority of successful cyberattacks, it makes sense that organizations should help their employees learn to defend themselves. Data leakage prevention controls can help stop the theft of intellectual property or other sensitive information from the network, reducing the amount of leverage they have when demanding a ransom, and well tested immutable backups can help an organization recover and be back online quickly,” advised Kron.