U.S. Department of Justice Indicts North Korean Hacker of Ransomware Attacks

The U.S. Department of Justice (DoJ) has Indicts a North Korean military intelligence operative, Rim Jong Hyok, for allegedly conducting ransomware attacks against healthcare facilities in the United States.

On Thursday, prosecutors announced charges accusing Hyok and his co-conspirators of deploying ransomware to extort U.S. hospitals and healthcare companies. According to Paul Abbate, deputy director of the (FBI), “these unacceptable and unlawful actions placed innocent lives at risk”. The U.S. Department of State has announced a reward of up to $10 million for information that could lead to Hyok’s whereabouts.

Connections to North Korean Hackers

Hyok is part of  Andariel hacking crew, which has been linked to various cyber-attacks, including the ransomware strain called Maui. This ransomware was first disclosed in 2022 and targeted organizations in Japan and the U.S. The ransom payments were laundered through Hong Kong-based facilitators, converted into Chinese yuan, and withdrawn from an ATM to procure virtual private servers (VPSes). The targets of the campaign include two U.S. Air Force bases, NASA-OIG, South Korean and Taiwanese defense contractors and a Chinese energy company.

In one instance, a cyber-attack that began in November 2022 exfiltrated more than 30 gigabytes of data from an unnamed U.S.-based defense contractor. The agencies have also announced the interdiction of approximately $114,000 in virtual currency proceeds from ransomware attacks.

The Reconnaissance General Bureau (RGB) 3rd Bureau, linked with Andariel, has a track record of striking foreign industries. Their goal is to obtain sensitive and classified technical information and intellectual property. The group’s activities have also targeted South Korean educational institutions, construction companies, and manufacturing organizations. The National Security Agency (NSA) has warned that this group poses a threat to various industry sectors worldwide.

The Andariel Hacking crew

The hacking group conduct follow-on reconnaissance, filesystem enumeration, persistence, privilege escalation, lateral movement, and data exfiltration.  They use a combination of custom backdoors, remote access trojans, off-the-shelf tools, and open-source utilities. The actors skillfully use native tools and processes on systems, known as living-off-the-land (LotL).

Microsoft has described Andariel as constantly evolving its toolset to add new functionality and implement novel ways to bypass detection. Some of the noteworthy tools highlighted by Microsoft include TigerRAT, SmallTiger, LightHand, ValidAlpha, and Dora RAT. These tools can steal confidential information, carry out commands, and provide remote access to infected devices.

The group has evolved from targeting South Korean financial institutions with disruptive attacks to targeting U.S. healthcare with ransomware, known as Maui, although not at the same scale as other Russian-speaking cybercrime groups. The North Korean government and military direct myriad state-sponsored hacking crews, including Andariel, Lazarus Group, BlueNoroff, Kimsuky, and ScarCruft. For decades, North Korea has engaged in illicit revenue generation through criminal enterprises to compensate for the lack of domestic industry.

In conclusion, the U.S. Department of Justice’s indictment and subsequent actions have highlighted the ongoing efforts to combat these threats and protect critical infrastructure from such malicious activities. The blurring of lines between intelligence gathering and money-making activities has been observed in recent years, with many of the cyber threat groups operating on behalf of North Korea also engaging in money-making activities. Cybersecurity measures must be robust and continuously updated to mitigate the risks associated with such threats.