North Korean charged in cyberattacks on US hospitals, NASA and military bases

KANSAS CITY, Kan. -- A North Korean military intelligence operative has been indicted in a conspiracy to hack into American health care providers, NASA, U.S. military bases and international entities, stealing sensitive information and installing ransomware to fund more attacks, federal prosecutors announced Thursday.

The indictment of Rim Jong Hyok by a grand jury in Kansas City, Kansas, accuses him of laundering the money through a Chinese bank and then using it to buy computer servers and fund more cyberattacks on defense, technology and government entities around the world.

The hacks on American hospitals and other health care providers disrupted the treatment of patients, officials said. He's accused of targeting 17 entities across 11 U.S. states, including NASA and U.S. military bases, as well as defense and energy companies in China, Taiwan and South Korea.

For more than three months, Hyok and other members of the Andariel Unit of North Korea's Reconnaissance General Bureau had access to NASA’s computer system, extracting over 17 gigabytes of unclassified data, the indictment says. They also reached inside computer systems for defense companies in Michigan and California, as well as Randolph Air Force base in Texas and Robins Air Force base in Georgia, authorities say.

The malware enabled the state-sponsored Andariel group to send stolen information to North Korean military intelligence, furthering the country’s military and nuclear aspirations, federal prosecutors said. They've gone after details of fighter aircraft, missile defense systems, satellite communications and radar systems, a senior FBI official said.

“While North Korea uses these types of cyber crimes to circumvent international sanctions and fund its political and military ambitions, the impact of these wanton acts have a direct impact on the citizens of Kansas,” said Stephen A. Cyrus, an FBI agent based in Kansas City.

Online court records do not list an attorney for Hyok, who has lived in North Korea and worked at the military intelligence agency’s offices in both Pyongyang and Sinuiju, according to court records. A reward of up to $10 million has been offered for information that could lead to him or other foreign government operatives who target critical U.S. infrastructure.

The Justice Department has prosecuted multiple cases related to North Korean hacking, often alleging a profit-driven motive that sets the nation's cybercriminals apart from hackers in Russia and China. In 2021, for instance, the department charged three North Korean computer programmers in a broad range of hacks including a destructive attack targeting an American movie studio and the attempted theft and extortion of more than $1.3 billion from banks and companies around the world.

In this case, the FBI was alerted by a Kansas medical center that was hit in May 2021. Hackers had encrypted its files and servers, blocking access to patient files, laboratory test results and computers needed to operate hospital equipment. A Colorado health care provider was affected by the same Maui ransomware variant.

A ransom note sent to the Kansas hospital demanded Bitcoin payments valued then at about $100,000, to be sent to a cryptocurrency address.

“Otherwise all of your files will be posted in the Internet which may lead you to loss of reputation and cause the troubles for your business,” the note reads. “Please do not waste your time! You have 48 hours only! After that the Main server will double your price.”

Federal investigators said they traced blockchains to follow the money: An unnamed co-conspirator transferred the Bitcoin to a virtual currency address belonging to two Hong Kong residents before it was converted into Chinese currency and transferred to a Chinese bank. The money was then accessed from an ATM in China next to the Sino-Korean Friendship Bridge connecting China and North Korea, according to court records.

In 2022, the Justice Department said the FBI seized approximately $500,000 in ransom payments from the money laundering accounts, including the entire ransom payment from the hospital.

An arrest of Hyok is unlikely, so the biggest outcome of the indictment is that it may lead to sanctions that could cripple the ability of North Korea to collect ransoms this way, which could in turn remove the motivation to conduct cyber attacks on entities like hospitals in the future, according to Allan Liska, an analyst with the cybersecurity firm Recorded Future.

“Now, unfortunately, that will force them to do more cryptocurrency theft. So it’s not going to stop their activity. But the hope is that we won’t have hospitals disrupted by ransomware attacks because they’ll know that they can’t get paid,” Liska said.

He also noted that a Chinese entity was among the victims and questioned what the country, which is an ally of North Korea, thinks of being targeted.

“China can’t be too thrilled about that,” he said.

__

Goldberg reported from Minneapolis. Hollingsworth reported from Mission, Kansas. Associated Press reporter Alanna Durkin Richer contributed from Washington, D.C.