US Department of State puts $10 million bounty on North Korean hacker’s head as agencies issue warning about APT45

The US Department of State has offered up a $10 million reward for information that could help them identify or locate a prominent North Korean hacker known as Rim Jong Hyok.

Issued on 25 July, the offer is extended to information leading to the identification or location of any person who had participated in malicious cyber activities against the US while under the direction or control of a foreign government .

Rim is associated with the state-sponsored threat collective APT45, also known as Andariel , Silent Chollima, Onyx Sleet, or DarkSeoul, which is controlled by the DPRK’s military intelligence agency the Reconnaissance General Bureau , according to US officials.

The announcement states Rim and his associates had conspired to compromise the systems used in US hospitals and other healthcare providers, install Maui ransomware on the network, and extort ransoms.

“The ransomware attacks encrypted victims’ computers and servers used for medical testing or electronic medical records and disrupted healthcare services. These malicious cyber actors then used the ransom payments to fund malicious cyber operations targeting U.S. government entities and U.S. and foreign defense contractors, among others,” said the US Department of State.

The reward was announced in tandem with a warning from the UK’s National Cyber Security Centre (NCSC) issuing a warning about the group alongside partners in the US and Republic of Korea.

The warning claimed it had exposed a global cyber espionage campaign carried out by APT45 to further the DPRK’s military and nuclear ambitions.

According to the NCSC, APT45 primarily targets defense, aerospace, nuclear, and engineering entities, as well as organizations in the medical and energy sectors .

The warning accompanied an advisory providing technical details about the group’s techniques, tactics, and procedures, as well as mitigation advice to help defend against the group’s advances.

Paul Chichester, director of operations at the NCSC said the criminal operation exposed in the advisory illustrates how far the North Korean state-backed threat actors are willing to go to pursue geopolitical aims.

“It should remind critical infrastructure operators of the importance of protecting the sensitive information and intellectual property they hold on their systems to prevent theft and misuse,” he added.

“The NCSC, alongside our US and Korean partners, strongly encourage network defenders to follow the guidance set out in this advisory to ensure they have strong protections in place to prevent this malicious activity.”

“One of North Korea’s longest running cyber operators”, APT45’s transition to targeting critical infrastructure

On the same day the Department of State issued its bounty, Google-owned cybersecurity specialist Mandiant released a report taking a closer look at the history and development of the APT45 group.

The report describes the group as a long-running, moderately sophisticated North Korean threat collective that has been carrying out espionage-based cyber attacks since 2009.

Mandiant noted that the group has slowly transitioned into a more financially-motivated operation, asserting the shift reflects the DPRK’s “changing priorities”.

It stated that its analysis showed the group had a clear focus on government agencies and the defense industry from as early as 2017, with concentrated activity on “nuclear issues and energy” from 2019.

The report added that APT45’s interest in ransomware sets it apart from a number of other North Korean cyber gangs reiterating that it is possible the group’s financially-motivated activities are geared not only towards supporting their own operations, but generating funds for other state priorities.

The group is strongly linked to what Mandiant describes as a “distinct genealogy of malware families separate from peer North Korean operators like TEMP.Hermit and APT43.”

Mandiant detailed some of the group’s notable attacks in recent years, revealing it has been targeting a broad range of sectors.

In 2016, for example, Mandiant stated APT45 likely leveraged RIFLE to target South Korean financial organizations, and similarly targeted a South Asian bank with a spear-phishing attack in 2021.

Critical infrastructure has been an increased focus for the group, as noted by the NCSC, and Mandiant underscored this fact, noting that in 2019 APT45 directly targeted nuclear research facilities and power plants such as the Kudankulam nuclear power plant in India.

This marked one of the few publicly known cases of North Korean threat actors targeting critical infrastructure , Mandiant claimed, but since then APT45’s activity against these services has only increased.

In September 2020 the group targeted the crop science division of a multinational corporation, which Mandiant suggested was possibly with the aim of disrupting agricultural production during the COVID-19 pandemic.

Throughout 2021, Mandiant claimed APT45 focused on healthcare and pharmaceutical companies , which it says continued into 2023.

Take control of your data security

Mandiant stated it expects the group’s financially-motivated activity to continue alongside intelligence collection , describing this as a defining characteristic of North Korean cyber operations.

It added that as the DPRK becomes increasingly reliant on its cyber operations as an “instrument of national power”, tracking the activity of APT45 and similar groups may help reveal the shifting priorities of the country’s leadership