North Korea man indicted in cybersecurity attacks on hospitals, military bases

U.S. attorney Kate Brubacher announces the indictment and reward for Rim Jong Hyok during a July 25, 2024, news conference at the federal courthouse in Kansas City, Kansas. On the right is George Brown, a Department of Justice attorney (Sherman Smith/Kansas Reflector).

KANSAS CITY, Kan. — Federal authorities on Thursday announced the indictment of a North Korea man accused of launching ransomware attacks on hospitals in Kansas and other states, then using the bounty to finance cyber attacks on military bases and defense contractors.

Rim Jong Hyok, a member of North Korea’s military intelligence agency, faces federal charges of conspiracy to hack computers and conspiracy to launder money. Federal authorities are offering up to a $10 million reward for information about Hyok and the cybersecurity attacks.

The FBI’s Kansas City field office led the investigation, which began with a May 2021 ransomware attack against an unnamed Kansas hospital. Hyok’s group, known in the private sector as Andariel, also attacked health care providers in Arkansas, Florida and Colorado, and a health care advocacy group in Connecticut.

The group used the ransom payments to lease virtual private servers that were used to launch attacks on NASA, Randolph Air Force Base in Texas, Robbins Air Force Base in Georgia, and defense companies in California, Michigan, Oregon, Massachusetts, China, Taiwan and South Korea.

In total, the FBI identified 17 victims between May 2021 and March 2023.

“Cybersecurity is critical to the systems and structures that uphold our way of life,” said U.S. attorney Kate Brubacher. “This indictment demonstrates our resolve to use every tool to protect the integrity of American organizations from foreign intrusion.”

Brubacher announced the indictment of Hyok during a news conference at the federal courthouse in Kansas City, Kansas, alongside Stephen Cyrus, special agent in charge of the FBI’s Kansas City field office, and attorneys involved in the case.

Hyok was a member of North Korea’s Reconnaissance General Bureau, a military intelligence agency, and was last known to be living in North Korea.

The group used a previously unseen malware tool called Maui to seize control of the Kansas hospital’s servers and left behind a ransom note that threatened to post “all your files” on the Internet unless a cryptocurrency payment was made.

“Please do not waste your time! You have 48 hours only!” the note said. “After that the Main server will double your price. Let us know if you have any questions.”

The hospital quickly agreed to make the payment, and also contacted the FBI, which began its investigation.

Cyrus said the North Korea group laundered the ransom money it received from hospitals and used the funds to launch attacks on “some of our most sophisticated military weapons systems.”

“Our cyber adversaries use ransomware operations for financial gain, to steal proprietary information from our most advanced tech companies, and disrupt our critical infrastructure,” Cyrus said.

The FBI was able to identify a cryptocurrency account linked to the scheme and recover funds that are in the process of being returned to the victims.

A federal grand jury this week indicted Hyok on the conspiracy charges. The hacking charge would carry a sentence of up to five years, and the money laundering charge would carry a sentence of up to 20 years, according to court records.

The U.S. State Department’s Rewards for Justice program is offering up to $10 million for information leading to the identification of any person, including Hyok, who is acting under the control of a foreign government and engages in malicious cyber activities. Officials said the money is not meant to be a bounty.

“We use every tool in our efforts to fight malware and ransomware attackers, and this is one tool,” said Brubacher, the federal prosecutor. “We are working closely with international partners. And certainly there could be regime change in North Korea. This is one step in pursuing justice against Rim, and borders will not stop us.”

This story was originally published by Kansas Reflector , a States Newsroom affiliate.