Jul 19, 2022 - Technology

FBI, DOJ "disrupt" North Korea-backed hackers targeting health sector

U.S. Deputy Attorney General Lisa Monaco speaking in D.C. in May 2022.

U.S. Deputy Attorney General Lisa Monaco speaking in D.C. in May 2022. Photo: Chip Somodevilla/Getty Images

Deputy Attorney General Lisa Monaco said Tuesday that the FBI and Department of Justice recently "disrupted" a ransomware group backed by the North Korean government that targeted U.S. medical facilities.

Why it matters: In one of the group's attacks, Monaco said a Kansas hospital made a $500,000 payment to the cyber group after being hit by ransomware known as “Maui.”

  • She said the FBI and Justice Department were able to recover the entire payment and cryptocurrencies used to launder it "several weeks ago" after tracing the payment through the blockchain.
  • By tracing the payments, law enforcement officials identified accounts used by China-based money launderers who worked with the North Korean hackers. In those accounts, they found potential ransomware payments made by another medical provider in Colorado and overseas victims.
  • The federal agencies also recovered what they believe were ransoms paid by other victims, including the Colorado medical provider.

What they're saying: Monaco disclosed the payment recovery during a speech at the 2022 International Conference on Cyber Security, in which she stressed that organizations should immediately notify the FBI if ransomware groups target them.

  • "Today, we have made public the seizure of those ransom payments, and we are returning the stolen funds to the victims," Monaco said. "In sum, a medical center in Kansas did the right thing at a moment of crisis and called the FBI."
  • "What flowed from that virtuous decision was: the recovery of their ransom payment; the recovery of ransoms paid by previously unknown victims; the identification of a previously unidentified ransomware strain; all from an investigation that allowed the FBI and its partners to release a cybersecurity advisory to empower network defenders everywhere," she added.

The big picture: The U.S. used similar tactics to recover some of the ransom paid by Colonial Pipeline to the DarkSide cybercrime group last year.

Go deeper: North Korean state-sponsored hackers targeting health sector, federal agencies warn

Go deeper