Office of Public Affairs North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting US Hospitals and Health Care Providers United States Department of Justice
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
A locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppPara Notícias en EspañolppNote View the indictment here and view cryptocurrency seizure affidavit hereppA grand jury in Kansas City Kansas returned an indictment on Wednesday charging North Korean national Rim Jong Hyok for his involvement in a conspiracy to hack and extort US hospitals and other health care providers launder the ransom proceeds and then use these proceeds to fund additional computer intrusions into defense technology and government entities worldwide Their ransomware attacks prevented victim health care providers from providing full and timely care to patientsppTwo years ago the Justice Department disrupted the North Korean group using Maui ransomware to hold hostage US hospitals and health care providers said Deputy Attorney General Lisa Monaco Todays criminal charges against one of those alleged North Korean operatives demonstrates that we will be relentless against malicious cyber actors targeting our critical infrastructure This latest action in collaboration with our partners in the US and overseas makes clear that we will continue to deploy all the tools at our disposal to disrupt ransomware attacks hold those responsible to account and place victims firstppRim Jong Hyok and his coconspirators deployed ransomware to extort US hospitals and health care companies then laundered the proceeds to help fund North Koreas illicit activities said Deputy Director Paul Abbate of the FBI These unacceptable and unlawful actions placed innocent lives at risk The FBI and our partners will leverage every tool available to neutralize criminal actors and protect American citizensppNorth Korean hackers developed custom tools to target and extort US health care providers and used their illgotten gains to fund a spree of hacks into government technology and defense entities worldwide all while laundering money through China said Assistant Attorney General Matthew G Olsen of the Justice Departments National Security Division The indictment seizures and other actions announced today demonstrate the Departments resolve to hold these malicious actors accountable impose costs on the North Korean cyber program and help innocent network owners recover their losses and defend themselvesppTodays indictment underscores our commitment to protecting critical infrastructure from malicious actors and the countries that sponsor them said US Attorney Kate E Brubacher for the District of Kansas Rim Jong Hyok and those in his trade put peoples lives in jeopardy They imperil timely effective treatment for patients and cost hospitals billions of dollars a year The Justice Department will continue to disrupt nationstate actors and ensure that American systems are protected in the District of Kansas and across our nationppThe Air Force Office of Special Investigations OSI will continue to work alongside our law enforcement partners to root out malicious actors who seek to degrade the Department of the Air Forces ability to protect the nation said Brigadier General Amy S Bumgarner OSI Commander Multiple OSI units including one of our newly established National Security Detachments which were established to provide counterintelligence law enforcement and analytical support to protect technology at the earliest stages of advanced research and development provided support to this investigationppWhile North Korea uses these types of cybercrimes to circumvent international sanctions and fund its political and military ambitions the impact of these wanton acts have a direct impact on the citizens of Kansas said Special Agent in Charge Stephen A Cyrus of the FBI Kansas City Field Office These actions keep our families from getting the health care they need slowing the response of our first responders endangering our critical infrastructure and ultimately costing Kansans through ransoms paid lost productivity and money spent to rebuild our networks following cyber attacks Todays charges prove these cyber actors cannot act with impunity and that malicious actions against the citizens of Kansas and the rest of the United States have severe consequencesppThe indictment of individuals responsible for breaching US government systems regardless of their location demonstrates the dedication of the National Aeronautics and Space Administration Office of Inspector General NASAOIG the Justice Department and our law enforcement partners to relentlessly investigate prosecute and hold accountable those who believe they can operate in the shadows said Assistant Inspector General for Investigations Robert Steinau of NASAOIGppAccording to court documents Rim and his coconspirators worked for North Koreas Reconnaissance General Bureau a military intelligence agency and are known to the private sector as Andariel Onyx Sleet and APT45 Rim and his coconspirators laundered ransom payments through Chinabased facilitators and used these proceeds to purchase internet infrastructure which the coconspirators then used to hack and exfiltrate sensitive defense and technology information from entities across the globe Victims of this further hacking include two US Air Force bases NASAOIG and entities located in Taiwan South Korea and China Related Andariel activity has been the subject of private sector reporting and a cybersecurity advisory with updated technical indicators of compromise was published by the FBI the National Security Agency US Cyber Commands Cyber National Mission Force the Department of the Treasury the Department of Defenses Cyber Crime Center the Cybersecurity and Infrastructure Security Administration and South Korean and United Kingdom partners todayppThe Justice Department and the FBI are also announcing the interdiction of approximately 114000 in virtual currency proceeds of ransomware attacks and related money laundering transactions as well as the seizure of online accounts used by coconspirators to carry out their malicious cyber activity The FBI previously seized approximately 500000 in virtual currency proceeds of ransomware attacks and related money laundering transactions In addition to these actions the Department of State announced today a reward offer of up to 10 million for information leading to the location or identification of Rim The State Departments Rewards for Justice program has a standing reward offer for information leading to the identification or location of any person who while acting at the direction or under the control of a foreign government engages in certain malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse ActppPrivate sector partners are also taking other voluntary actions to limit the spread of Andarielcreated malware In partnership with the Department Microsoft developed and implemented technical measures to block Andariel actors from accessing victims computer networks Additionally Mandiant is publishing research today that highlights its unique insights into Andariels tactics techniques and procedures These actions by Microsoft and Mandiant were a significant part of the overall effort to secure networks and they will help cybersecurity practitioners prevent identify and mitigate attacks from Andariel actorsppMaui Ransomware and Money LaunderingppAs alleged in the indictment Rim worked for North Koreas Reconnaissance General Bureau RGB a military intelligence agency and participated in the conspiracy to target and hack computer networks of US hospitals and other health care providers encrypt their electronic files extort a ransom payment from them launder those payments and use the laundered proceeds to hack targets of interest to the North Korean regimeppThe Andariel actors used custom malware developed by the RGB known as Maui After running the mauiexe program to encrypt a ransomware victims computer network the North Korean coconspirators would extort the organization by leaving a note with a cryptocurrency address for a ransom paymentppThe Andariel actors received ransom payments in a virtual currency and then laundered the payments with the assistance of Hong Kongbased facilitators In at least one case these Hong Kong facilitators converted ransom funds from cryptocurrency to Chinese yuan The yuan was then accessed from an ATM in China in the immediate vicinity of the SinoKorean Friendship Bridge which connects Dandong China and Sinuiju North KoreappExfiltration of Sensitive Data from Companies and Government AgenciesppRim and his coconspirators used ransom proceeds to lease virtual private servers that were used to launch attacks against defense technology and other organizations and to steal information from them Victims of this further hacking included US defense contractors two US Air Force bases NASAOIG South Korean and Taiwanese defense contractors and a Chinese energy company The Andariel actors obtained initial access to victims networks by exploiting known vulnerabilities that had not been patched by the victims including the widespread Log4Shell vulnerability Additional tactics techniques and procedures are available in the joint cybersecurity advisory released today The Andariel actors stole terabytes of information including unclassified US government employee information old technical information related to military aircraft intellectual property and limited technical information pertaining to maritime and uranium processing projectsppAssistant US Attorneys Ryan Huschka and Chris Oakley for the District of Kansas and Trial Attorneys Neeraj Gupta and George Brown of the National Security Divisions National Security Cyber Section are prosecuting the caseppThe FBI continues to investigate Andariels hacking and money laundering activities The Air Force Office of Special Investigations the Department of Defense Cyber Crime Center and NASAOIG provided valuable assistanceppAn indictment is merely an allegation All defendants are presumed innocent until proven guilty beyond a reasonable doubtpp ppView previous joint cybersecurity advisories from CISA hereppView previous joint cybersecurity advisories from Department of Defense hereppView previous cryptocurrency seizure announcement hereppPatrick Dai 22 formerly a junior at Cornell University and originally from Pittsford New York was sentenced today to 21 months in prison followed by three years of supervised releaseppBulgarian national Milan Dimitrov 50 made his initial appearance in a federal court in San Antonio today after being extradited from GreeceppArthur Petrov 33 a dual Russian and German national made his initial appearance in federal court today following his extradition from the Republic of Cyprus for criminal offenses related toppOffice of Public Affairs
US Department of Justice
950 Pennsylvania Avenue NW
Washington DC 20530ppOffice of Public Affairs Direct Line
2025142007ppDepartment of Justice Main Switchboard
2025142000ppSignup for Email Updates
Social MediappppHave a question about Government Servicesp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
A locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppPara Notícias en EspañolppNote View the indictment here and view cryptocurrency seizure affidavit hereppA grand jury in Kansas City Kansas returned an indictment on Wednesday charging North Korean national Rim Jong Hyok for his involvement in a conspiracy to hack and extort US hospitals and other health care providers launder the ransom proceeds and then use these proceeds to fund additional computer intrusions into defense technology and government entities worldwide Their ransomware attacks prevented victim health care providers from providing full and timely care to patientsppTwo years ago the Justice Department disrupted the North Korean group using Maui ransomware to hold hostage US hospitals and health care providers said Deputy Attorney General Lisa Monaco Todays criminal charges against one of those alleged North Korean operatives demonstrates that we will be relentless against malicious cyber actors targeting our critical infrastructure This latest action in collaboration with our partners in the US and overseas makes clear that we will continue to deploy all the tools at our disposal to disrupt ransomware attacks hold those responsible to account and place victims firstppRim Jong Hyok and his coconspirators deployed ransomware to extort US hospitals and health care companies then laundered the proceeds to help fund North Koreas illicit activities said Deputy Director Paul Abbate of the FBI These unacceptable and unlawful actions placed innocent lives at risk The FBI and our partners will leverage every tool available to neutralize criminal actors and protect American citizensppNorth Korean hackers developed custom tools to target and extort US health care providers and used their illgotten gains to fund a spree of hacks into government technology and defense entities worldwide all while laundering money through China said Assistant Attorney General Matthew G Olsen of the Justice Departments National Security Division The indictment seizures and other actions announced today demonstrate the Departments resolve to hold these malicious actors accountable impose costs on the North Korean cyber program and help innocent network owners recover their losses and defend themselvesppTodays indictment underscores our commitment to protecting critical infrastructure from malicious actors and the countries that sponsor them said US Attorney Kate E Brubacher for the District of Kansas Rim Jong Hyok and those in his trade put peoples lives in jeopardy They imperil timely effective treatment for patients and cost hospitals billions of dollars a year The Justice Department will continue to disrupt nationstate actors and ensure that American systems are protected in the District of Kansas and across our nationppThe Air Force Office of Special Investigations OSI will continue to work alongside our law enforcement partners to root out malicious actors who seek to degrade the Department of the Air Forces ability to protect the nation said Brigadier General Amy S Bumgarner OSI Commander Multiple OSI units including one of our newly established National Security Detachments which were established to provide counterintelligence law enforcement and analytical support to protect technology at the earliest stages of advanced research and development provided support to this investigationppWhile North Korea uses these types of cybercrimes to circumvent international sanctions and fund its political and military ambitions the impact of these wanton acts have a direct impact on the citizens of Kansas said Special Agent in Charge Stephen A Cyrus of the FBI Kansas City Field Office These actions keep our families from getting the health care they need slowing the response of our first responders endangering our critical infrastructure and ultimately costing Kansans through ransoms paid lost productivity and money spent to rebuild our networks following cyber attacks Todays charges prove these cyber actors cannot act with impunity and that malicious actions against the citizens of Kansas and the rest of the United States have severe consequencesppThe indictment of individuals responsible for breaching US government systems regardless of their location demonstrates the dedication of the National Aeronautics and Space Administration Office of Inspector General NASAOIG the Justice Department and our law enforcement partners to relentlessly investigate prosecute and hold accountable those who believe they can operate in the shadows said Assistant Inspector General for Investigations Robert Steinau of NASAOIGppAccording to court documents Rim and his coconspirators worked for North Koreas Reconnaissance General Bureau a military intelligence agency and are known to the private sector as Andariel Onyx Sleet and APT45 Rim and his coconspirators laundered ransom payments through Chinabased facilitators and used these proceeds to purchase internet infrastructure which the coconspirators then used to hack and exfiltrate sensitive defense and technology information from entities across the globe Victims of this further hacking include two US Air Force bases NASAOIG and entities located in Taiwan South Korea and China Related Andariel activity has been the subject of private sector reporting and a cybersecurity advisory with updated technical indicators of compromise was published by the FBI the National Security Agency US Cyber Commands Cyber National Mission Force the Department of the Treasury the Department of Defenses Cyber Crime Center the Cybersecurity and Infrastructure Security Administration and South Korean and United Kingdom partners todayppThe Justice Department and the FBI are also announcing the interdiction of approximately 114000 in virtual currency proceeds of ransomware attacks and related money laundering transactions as well as the seizure of online accounts used by coconspirators to carry out their malicious cyber activity The FBI previously seized approximately 500000 in virtual currency proceeds of ransomware attacks and related money laundering transactions In addition to these actions the Department of State announced today a reward offer of up to 10 million for information leading to the location or identification of Rim The State Departments Rewards for Justice program has a standing reward offer for information leading to the identification or location of any person who while acting at the direction or under the control of a foreign government engages in certain malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse ActppPrivate sector partners are also taking other voluntary actions to limit the spread of Andarielcreated malware In partnership with the Department Microsoft developed and implemented technical measures to block Andariel actors from accessing victims computer networks Additionally Mandiant is publishing research today that highlights its unique insights into Andariels tactics techniques and procedures These actions by Microsoft and Mandiant were a significant part of the overall effort to secure networks and they will help cybersecurity practitioners prevent identify and mitigate attacks from Andariel actorsppMaui Ransomware and Money LaunderingppAs alleged in the indictment Rim worked for North Koreas Reconnaissance General Bureau RGB a military intelligence agency and participated in the conspiracy to target and hack computer networks of US hospitals and other health care providers encrypt their electronic files extort a ransom payment from them launder those payments and use the laundered proceeds to hack targets of interest to the North Korean regimeppThe Andariel actors used custom malware developed by the RGB known as Maui After running the mauiexe program to encrypt a ransomware victims computer network the North Korean coconspirators would extort the organization by leaving a note with a cryptocurrency address for a ransom paymentppThe Andariel actors received ransom payments in a virtual currency and then laundered the payments with the assistance of Hong Kongbased facilitators In at least one case these Hong Kong facilitators converted ransom funds from cryptocurrency to Chinese yuan The yuan was then accessed from an ATM in China in the immediate vicinity of the SinoKorean Friendship Bridge which connects Dandong China and Sinuiju North KoreappExfiltration of Sensitive Data from Companies and Government AgenciesppRim and his coconspirators used ransom proceeds to lease virtual private servers that were used to launch attacks against defense technology and other organizations and to steal information from them Victims of this further hacking included US defense contractors two US Air Force bases NASAOIG South Korean and Taiwanese defense contractors and a Chinese energy company The Andariel actors obtained initial access to victims networks by exploiting known vulnerabilities that had not been patched by the victims including the widespread Log4Shell vulnerability Additional tactics techniques and procedures are available in the joint cybersecurity advisory released today The Andariel actors stole terabytes of information including unclassified US government employee information old technical information related to military aircraft intellectual property and limited technical information pertaining to maritime and uranium processing projectsppAssistant US Attorneys Ryan Huschka and Chris Oakley for the District of Kansas and Trial Attorneys Neeraj Gupta and George Brown of the National Security Divisions National Security Cyber Section are prosecuting the caseppThe FBI continues to investigate Andariels hacking and money laundering activities The Air Force Office of Special Investigations the Department of Defense Cyber Crime Center and NASAOIG provided valuable assistanceppAn indictment is merely an allegation All defendants are presumed innocent until proven guilty beyond a reasonable doubtpp ppView previous joint cybersecurity advisories from CISA hereppView previous joint cybersecurity advisories from Department of Defense hereppView previous cryptocurrency seizure announcement hereppPatrick Dai 22 formerly a junior at Cornell University and originally from Pittsford New York was sentenced today to 21 months in prison followed by three years of supervised releaseppBulgarian national Milan Dimitrov 50 made his initial appearance in a federal court in San Antonio today after being extradited from GreeceppArthur Petrov 33 a dual Russian and German national made his initial appearance in federal court today following his extradition from the Republic of Cyprus for criminal offenses related toppOffice of Public Affairs
US Department of Justice
950 Pennsylvania Avenue NW
Washington DC 20530ppOffice of Public Affairs Direct Line
2025142007ppDepartment of Justice Main Switchboard
2025142000ppSignup for Email Updates
Social MediappppHave a question about Government Servicesp
