The indictment, unveiled on July 25, 2024, in Kansas City, Kansas, details Hyok’s involvement in stealing sensitive information and deploying ransomware to fund further cyberattacks.
Rim Jong Hyok is accused of laundering money through a Chinese bank, using the proceeds to acquire computer servers and finance additional cyberattacks targeting defense, technology, and government entities globally. The indictment highlights his connection to the Andariel Unit of North Korea’s Reconnaissance General Bureau, a state-sponsored group responsible for these malicious activities.
The cyberattacks on American hospitals and healthcare providers disrupted patient care, underscoring the severe impact of such crimes on public health. Prosecutors allege that Hyok targeted 17 entities across 11 U.S. states, including NASA and U.S. military bases. Defense and energy companies in China, Taiwan, and South Korea were also among the victims. Over three months, Hyok and his team infiltrated NASA’s computer systems, extracting over 17 gigabytes of unclassified data. They also accessed systems of defense companies in Michigan and California and breached Randolph Air Force Base in Texas and Robins Air Force Base in Georgia.
The malware used by the Andariel Unit enabled them to transmit stolen information to North Korean military intelligence, aiding the country’s military and nuclear ambitions. The stolen data included details of fighter aircraft, missile defense systems, satellite communications, and radar systems, according to a senior FBI official.
Stephen A. Cyrus, an FBI agent based in Kansas City, emphasized that North Korea uses cybercrimes to circumvent international sanctions and fund its political and military goals. The impact of these attacks is felt directly by citizens, as evidenced by the disruption of hospital operations in Kansas and other states.
A reward of up to $10 million has been offered for information leading to his capture or that of other foreign operatives targeting U.S. infrastructure.
The Justice Department has a history of prosecuting North Korean hackers. In 2021, three North Korean programmers were charged with a range of cybercrimes, including an attack on an American movie studio and the attempted theft and extortion of over $1.3 billion from banks and companies worldwide.
The FBI’s involvement in this case began when a Kansas medical center reported a ransomware attack in May 2021.
Hackers had encrypted the hospital’s files and servers, blocking access to patient records and critical equipment. A ransom note demanded Bitcoin payments, threatening to leak the files online if the demands were not met. Investigators traced the Bitcoin transactions to two Hong Kong residents, eventually converting the funds to Chinese currency and transferring them to a Chinese bank. The money was accessed from an ATM near the Sino-Korean Friendship Bridge.
In 2022, the Justice Department announced the seizure of approximately $500,000 in ransom payments, including the entire ransom paid by the Kansas hospital. While Hyok’s arrest is unlikely, the indictment may lead to sanctions that could hinder North Korea’s ability to collect ransoms, potentially reducing the motivation for future attacks on critical infrastructure.
Cybersecurity analyst Allan Liska from Recorded Future notes that although sanctions may not stop North Korea’s cyber activities entirely, they could deter attacks on hospitals by making ransom payments more difficult to collect. This incident also raises questions about China’s stance on being targeted by its ally, North Korea.
