A Kansas City grand jury has indicated a North Korean hacker for participating in a cyberattack campaign that targeted the U.S. Air Force, NASA and other organizations.
The Justice Department announced the development on Thursday. The indicted hacker, Rim Jong Hyok, is believed to be working for North Korea’s Reconnaissance General Bureau, a military intelligence agency tracked as Andariel by cybersecurity experts. In a report released this week, Google LLC’s cloud unit detailed that Andariel has been carrying out cyber espionage operations since at least 2009.
“This latest action, in collaboration with our partners in the U.S. and overseas, makes clear that we will continue to deploy all the tools at our disposal to disrupt ransomware attacks, hold those responsible to account, and place victims first,” said Deputy Attorney General Lisa Monaco.
The cyberattack campaign over which was Rim was charged comprised multiple phases. According to the Justice Department, the first phase saw Rim and his co-conspirators target U.S. healthcare organizations with ransomware attacks. The attacks used a custom piece of malware, dubbed Maui, that encrypts files on inflected systems and then displays a note demanding a ransom payment in cryptocurrency.
The second phase of the cyberattack campaign saw the hackers launder their ransomware proceeds. During its investigation, the Justice Department determined that Rim and his co-conspirators had relied on facilitators in Hong Kong to convert their illicitly obtained cryptocurrency into Chinese yuan. Afterwards, the funds were withdrawn from an ATM in China near a bridge to North Korea.
Andariel used the ransomware proceeds to lease virtual private servers for hacking purposes. In this phase of the campaign, Rim and his co-conspirators launched cyberattacks against U.S. defense contractors, two U.S. Air Force bases and the NASA Office of Inspector General, which is responsible for auditing the space agency’s research programs. The hackers also breached the networks of South Korean and Taiwanese defense contractors along as well as a Chinese energy company.
The Justice Department detailed that the hackers gained access to targeted organizations’ infrastructure by exploiting unpatched software vulnerabilities. One of the vulnerabilities they used is Log4Shell, a security flaw in legacy versions of a popular application monitoring tool called Log4j. The flaw, which was discovered about three years ago, is estimated to have been used in hundreds of thousands of cyberattacks to date.
Rim and his co-conspirators downloaded terabytes of data from the networks they breached. The stolen records included unclassified information about U.S. government employees, old data related to military aircraft and limited technical details about maritime and uranium processing projects.
In conjunction with this week’s indictment, the State Department announced a $10 million reward for information leading to the location or identification of Rim.