North Korean hackers have been among the major perpetrators of ransomware attacks in recent years, but it appears at least one of these groups is seeking these funds to finance direct espionage campaigns against US military and government sources.
A US federal grand jury has indicted Rim Jong Hyok of North Korea in connection with a 2022 campaign that saw a state-backed threat actor from the country first conduct ransomware attacks against hospitals for profit, then turn those funds to server purchases used to conduct data theft attacks against the US Air Force, NASA and assorted defense contractors. The North Korean hacker has been named as part of the “Andariel” group that has been active for at least a decade.
Funds from ransomware attacks funneled to espionage campaigns through Hong Kong intermediaries
According to a recent CISA advisory, North Korean hackers remain very active in targeting hospitals with ransomware attacks as one of their key sources of funding. But the indictment of Rim refers to one specific campaign in 2022 that involved one of several known APT groups operating with the backing of the North Korean government.
North Korean hackers have pulled off some impressive social engineering feats in recent years, often aimed at defi platforms. But Andariel specifically seems to have shifted to scanning for known vulnerabilities that remain unpatched instead, and seems to be finding a lot of material to work with in the health care sector. In total these groups are bringing in hundreds of millions of dollars a year from various victims, and have racked up billions in total over the past 10 years.
This money has long been known to go to general funding of the North Korean government, which labors under crippling economic sanctions. But the indictment highlights the phenomenon of the proceeds of ransomware attacks being turned directly to support for espionage campaigns and data theft from foreign governments, sometimes in an extremely short amount of time.
Indictment of North Korean hacker could prompt further sanctions
The campaign that was funded by the hospital ransomware attacks was not limited to the US, also targeting defense contractors based in Singapore and Taiwan. But the indictment comes down for a spree that in total targeted 17 organizations across 11 states. After the North Korean hackers hit hospitals, they put the funds toward stealing any information they could about military technology and uranium processing.
In 2022, the North Korean hackers successfully infiltrated four defense contractors, an office of NASA, and two Air Force bases, one in Georgia and one in Texas. All of this took place over a three-month period, illustrating the pace with which the group executes ransomware attacks and then pivots back to its central espionage and data exfiltration mission.
The hackers reportedly stole design information about military vehicles and weapons among other items, though a full accounting of the data loss was not provided. A financial damage total was also not provided for the ransomware attacks on the hospitals, but the CISA advisory did indicate that about $600,000 in payments was recovered by authorities and that victims can expect demands in the hundreds of thousands of dollars.
A $10 million dollar reward has been issued for information leading to Rim’s arrest, but this is extremely unlikely unless he opts to leave North Korea. The purpose of the indictment is more likely as part of a foundation for new sanctions against the country, which maintains a complicated web of shell organizations used to evade these restrictions that spans Taiwan, Hong Kong and numerous African countries among other nations.