The US Department of Justice on Thursday charged a North Korean national over a series of ransomware attacks on stateside hospitals and healthcare providers, US defense companies, NASA, and even a Chinese target.
An indictment [PDF] named Rim Jong Hyok as a participant in "a conspiracy to hack and extort US hospitals and other health care providers, launder the ransom proceeds, and then use these proceeds to fund additional computer intrusions into defense, technology, and government entities worldwide."
Rim allegedly used malware developed at North Korea's top military intelligence outfit – the Reconnaissance General Bureau (RGB) – which the indictment states runs a cyber unit that's been identified variously as Andariel, Onyx Sleet, and Silent Chollima. Andariel is known to have targeted ERP systems, Onyx Sleet has gone after DevOps environments, and Silent Chollima is linked to deployments of the Maui ransomware.
That's the nastyware Rim is said to have had a hand in deploying against targets including eight US-based healthcare organizations. Andariel also managed to exfiltrate data from The NASA Office of Inspector General, four US-based defense companies, and two US Air Force bases.
The gang also attacked in other nations. The indictment mentions a pair of South Korean defense companies as targets, as well as a South Korean manufacturer. Even a Chinese energy company became a target – an oddity, given North Korea depends on the People's Republic for patronage and resources.
The indictment alleges that the accused laundered ransoms in China, then used the proceeds to buy infrastructure used to conduct more heists around the world – including the exfiltration raids mentioned above.
The Justice Department and the FBI announced they have interdicted "approximately $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions" and seized online accounts used by co-conspirators in this case.
But they can't seize Rim – his whereabouts, and current identity, are unknown. Uncle Sam has stumped a $10 million reward for info that allows authorities to track him down.
Microsoft and Mandiant weigh in
On the same day as the indictment was revealed, Microsoft and Mandiant published their view of how Andariel does its dirty deeds.
Microsoft believes the crew has operated since 2014 and uses "an extensive set of custom tools and malware" that it regularly evolves.
"Onyx Sleet's ability to develop a spectrum of tools to launch its tried-and-true attack chain makes it a persistent threat, particularly to targets of interest to North Korean intelligence, like organizations in the defense, engineering, and energy sectors," in Microsoft's estimation.
Among its arsenal: custom backdoors named LightHand and BlackRAT that allow execution of commands on remote target devices. The gang also develops custom malware such as the Dora RAT malware deployed in May this year to target South Korean organizations.
Beyond its custom tools, the gang targets well-known problems like the Log4J flaw and Atlassian's Confluence improper authorization vulnerability.
- Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil
- North Korea likely behind takedown of Indian crypto exchange WazirX
- Baddies hijack Korean ERP vendor's update systems to spew malware
- China warns citizens to stop posting info about spy satellites on social media
Mandiant uses the name "APT 45" to describe the crew, alleges it's been active since 2009, and notes that some of its reported exploits are linked to the notorious Lazarus Group.
"APT45 and activity clusters suspected of being linked to the group are strongly associated with a distinct genealogy of malware families separate from peer North Korean operators like TEMP.Hermit and APT43," Mandiant asserted, before noting that the group is North Kore'’s most frequently-observed targeter of critical infrastructure.
The indictment was filed in the United States District Court for the district of Kansas – a reflection of the fact that Kansas Hospital is the first-named victim.
"While North Korea uses these types of cyber crimes to circumvent international sanctions and fund its political and military ambitions, the impact of these wanton acts has a direct impact on the citizens of Kansas," declared special agent in charge Stephen A Cyrus of the FBI Kansas City Field Office, in a canned quote. "These actions keep our families from getting the healthcare they need, slowing the response of our first responders, endangering our critical infrastructure and, ultimately, costing Kansans through ransoms paid, lost productivity, and money spent to rebuild our networks following cyber attacks."
Cyrus added that the charges unveiled Thursday "prove these cyber actors cannot act with impunity and that malicious actions against the citizens of Kansas and the rest of the United States have severe consequences."
Or not. Given that Rim can't be found, a trial will have no consequences. What's more, Mandiant and Microsoft both believe that Andariel has retained the ability to maraud. ®