US plans to hunt down North Korean hackers who attacked healthcare, defence networks

The US is ramping up efforts to track down North Korean hackers responsible for attacking healthcare and defence networks. Recently revealed court documents show that the FBI has seized the contents of numerous email addresses from Google and Yahoo, which are believed to have been used by hackers for their operations.

The FBI has been collecting evidence against a hacking group called Andariel, which is considered a part of the larger North Korean Lazarus group. These hackers have been using US-based tech infrastructure to carry out their attacks, as reported by The Information.

In particular, the FBI targeted 17 Google accounts, 18 Yahoo accounts, and two from IONOS, a company providing email services. As part of the ongoing investigation, US authorities have indicted Rim Jong Hyok for his involvement in these cybercrimes.

The investigation began in May 2021 when hackers attacked a healthcare provider in Chanute, Kansas. They used ransomware to lock down at least four physical servers, making it impossible for employees to access critical systems, including those for X-rays, diagnostic imaging, and the internal intranet.

The victim and the FBI identified the malware as Maui ransomware. By July 2022, the FBI, CISA, and the Department of Treasury issued a joint advisory attributing the attacks to North Korean state-sponsored hackers.

The hackers demanded a ransom of 2 Bitcoins, approximately $90,000 at the time, to unlock the compromised systems. After the payment was made on behalf of the healthcare facility, the decryption keys were provided, but the servers remained inaccessible for over a week.

Following this incident, the FBI traced payments through a cryptocurrency exchange, eventually seizing around $500,000 linked to the Maui ransomware.

The extensive investigation uncovered the identities behind the ransomware attacks on the Kansas healthcare organisation and other targets between May 2021 and July 2022. The FBI executed 39 search warrants during this period, as per the report by The Information.

A recent unsealed warrant focused on email accounts allegedly used by the hackers. These hackers created numerous online accounts, including those offering encrypted services. The FBI identified accounts accessed by IP addresses in North Korea.

An email address found on the locked Kansas systems, ‘[email protected],’ led investigators to ProtonMail, which provided a recovery email linked to the account ‘[email protected].’

Further investigation into this Yahoo account revealed its use by a North Korean hacker for communicating with co-conspirators, planning ransomware attacks, and laundering extorted funds.

Additional search warrants on related email accounts revealed more connections. For example, ‘[email protected]’ was linked to other Gmail accounts accessed by the same device.

The FBI concluded that the cyber actors behind the Maui ransomware campaign are part of Andariel, a subgroup of the Lazarus Group, which is closely tied to the North Korean regime.

On Thursday, the FBI and other agencies issued a new advisory about Andariel’s attacks on defence, aerospace, nuclear, and engineering sectors to obtain sensitive information for North Korea’s military and nuclear programs. The hackers are believed to be working for North Korea’s Reconnaissance General Bureau, the country’s premier intelligence agency.