Justice Department indicts North Korean military hacker for extorting hospitals, health care providers

The Justice Department has charged a North Korean military hacker for allegedly extorting hospitals and health care providers in the U.S. through a cyber espionage campaign.

Rim Jong Hyok, who allegedly works for the North Korean military intelligence agency known as Reconnaissance General Bureau, targeted hospitals and health care providers with ransomware attacks and then used the proceeds from the ransomware attacks for more hacking operations targeting defense technology and government entities, according to DOJ officials.

On May 4, 2021, Hyok gained access to Kansas Hospital and used malware to encrypt the hospital's server, officials said.

"All your important files were encrypted on this computer," the ransom note left on the hospital's servers allegedly said. "If you want to restore your files, you will need to make the payment."

The note threatens to post the files on the internet and he says once the payment is complete they will restore their files. On May 12, the ransom was paid through Bitcoin.

Hospitals and health care networks targeted by the North Koreans are Arkansas Healthcare Company, Connecticut Healthcare Company, Florida Hospital, and Colorado Medical Clinic. They were left ransom notes similar to what was left on the Kansas Hospital system, according to the indictment.

Officials on a call with reporters call the North Korean activity "symbiotic."

"Without the ability to conduct these ransomware operations and receive payments, other cyber operations conducted by DPRK would be difficult to continue," they said.

In April 2022, Hyok used the Log4j vulnerability to gain access into the Michigan Defense Company's computer network for seven months, and the Randolph Air Force Base's network for two weeks.

"The Conspirators extracted nearly a gigabyte of unclassified data," the indictment says.

Hyok also stole data from Robin's Air Force Base, the Massachusetts Defense Company, and the Oregon Defense Company.

Officials said the cyber espionage operation by the North Koreans was "successful" and the information that was stolen was "considered sensitive and helpful to the regime."

"We've seen the North Koreans target things like heavy and light tanks and self-propelled howitzers, light strike vehicles and ammunition supply vehicles, modeling and simulation services," the officials said.

An FBI official said they've recovered $600,000 in stolen funds but did not have a total amount that was stolen by the hackers.

Hyok is still in North Korea, according to officials.

The State Department has offered a reward totaling $10 million for any information on the hackers.