As part of its ongoing offensive against threat actors backed by the North Korean government, the Department of Justice on Thursday announced an indictment of an alleged member of the APT45 group that is known for deploying the Maui ransomware and running long-term campaigns against government agencies, health care facilities, and other organiztions in the United States and elsewhere.
The indictment accuses Rim Jong Hyok of being a key part of the APT45 team–also known as Andariel–that conducted intrusions against a number of U.S. facilities, including a health care facility in Kansas, where the grand jury indictment was handed down. The group is one of the more active and prolific attack teams associated with the North Korean government, and U.S. officials say that APT45 is aligned with the country’s Reconnaissance General Bureau, its military intelligence arm. APT45 and other North Korea state-sponsored teams are well-known for using ransomware, cryptocurrency theft, and other financially focused tactics to support the government’s military operations. As part of the indictment and other actions, the FBI seized about $114,000 inn cryptocurrency.
“North Korean hackers developed custom tools to target and extort U.S. health care providers and used their ill-gotten gains to fund a spree of hacks into government, technology, and defense entities worldwide, all while laundering money through China,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division.
“The indictment, seizures, and other actions announced today demonstrate the Department’s resolve to hold these malicious actors accountable, impose costs on the North Korean cyber program, and help innocent network owners recover their losses and defend themselves.”
The indictment of Rim coincides with actions taken by Mandiant and Microsoft to expose the tools and tactics used by APT45 in its intrusions. On Thursday, Mandiant graduated the group to APT status and published details of the malware and tactics the group uses, and Microsoft published its own detailed assessment of the group’s activities, as well. In addition, the FBI, NSA, and other agencies issued an in-depth technical advisory about the group.
The Justice Department alleges that Rim and some of his colleagues used the proceeds from some of their intrusions to fund other attacks.
“Rim and his co-conspirators used ransom proceeds to lease virtual private servers that were used to launch attacks against defense, technology, and other organizations, and to steal information from them. Victims of this further hacking included U.S. defense contractors, two U.S. Air Force bases, NASA-OIG, South Korean and Taiwanese defense contractors, and a Chinese energy company. The Andariel actors obtained initial access to victims’ networks by exploiting known vulnerabilities that had not been patched by the victims, including the widespread Log4Shell vulnerability,” the Justice Department advisory says.
The FBI seized almost $500,000 in cryptocurrency related to Maui ransomware intrusions in 2022, as well.