The United States indicted North Korean hacker Rim Jong Hyok for cyberattacks targeting defense secrets, the Justice Department said Thursday. Photo courtesy of FBI

Rim and his co-conspirators allegedly worked for North Korean intelligence agency Reconnaissance General Bureau in a hacker collective known by various names including Andariel, Onyx Sleet and APT45.

According to the indictment, Andariel victimized five healthcare providers, four U.S.-based defense contractors, two U.S. Air Force bases and NASA’s Office of Inspector General.

“The Andariel actors stole terabytes of information, including unclassified U.S. government employee information, old technical information related to military aircraft, intellectual property and limited technical information pertaining to maritime and uranium processing projects,” the Justice Department said.

The operation also infiltrated networks and stole data from Taiwanese and South Korean defense contractors and a Chinese energy company.

Andariel hacked into multiple U.S. hospitals and healthcare providers’ computer networks and encrypted the servers responsible for health records, diagnostics and imaging services, the indictment said. After the attacks, the hackers demanded the victims pay a fee to restore access.

In one case, the group sent a ransom note to a Kansas hospital demanding roughly $100,000 in Bitcoin.

“Otherwise all of your files will be posted in the Internet, which may lead you to loss of reputation and cause the troubles for your business,” the note read. “Please do not waste your time! You have 48 hours only! After that the Main server will double your price.”

“Today’s indictment underscores our commitment to protecting critical infrastructure from malicious actors and the countries that sponsor them,” U.S. Attorney for the District of Kansas Kate Brubacher said. “Rim Jong Hyok and those in his trade put people’s lives in jeopardy. They imperil timely, effective treatment for patients and cost hospitals billions of dollars a year.”

The Justice Department and the FBI also announced the recovery of $114,000 in virtual currency from the ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by the co-conspirators.

Rim’s last known location was in North Korea, where he worked at the Reconnaissance General Bureau’s offices in Pyongyang and Sinuiju, the indictment said.

On Thursday, the U.S. State Department offered a reward of up to $10 million for information leading to his location or identification.

In addition, U.S., South Korean and British government security agencies released a cybersecurity advisory outlining Andariel’s ransomware tactics and warning that North Korea is conducting a global espionage campaign “to advance the regime’s military and nuclear programs and ambitions.”

It was co-authored by the FBI, the U.S. National Security Agency and cyber agencies, Britain’s National Cyber Security Center and South Korea’s National Intelligence Service.

“The authoring agencies believe the group and the cyber techniques remain an ongoing threat,” the advisory said.

While North Korea remains under heavy international sanctions, it has increasingly turned to hacking and cybertheft in recent years to bankroll its illicit missile and nuclear programs.

Pyongyang funds 40% of its weapons programs through “illicit cybermeans,” the U.N. Security Council’s Panel of Experts estimated in an annual report released in March. The panel said that 58 suspected cyberattacks on cryptocurrency-related companies generated some $3 billion for the regime between 2017 and 2023.

The Treasury Department sanctioned the Reconnaissance General Bureau in 2015 and U.S. officials previously publicized the threat from North Korean hackers targeting hospitals and other healthcare organizations with ransomware.

In 2022, U.S. law enforcement recovered roughly $500,000 in payments made to North Korean hackers by victims including a medical center in Kansas and a healthcare provider in Colorado.