American law-enforcement authorities recently disrupted a North Korean state-sponsored hacking campaign that targeted hospitals and other medical facilities in the U.S., a Justice Department operation that included the cryptocurrency seizure of about a half-million dollars in ransom payments, Deputy Attorney General Lisa Monaco said Tuesday.

The disruption and recovery of funds is the latest example of the Biden administration’s strategy to rely less on solely charging foreign hackers who may never see a courtroom and dedicate resources to thwarting cyberattacks before they can do more damage, Ms. Monaco said. The Justice Department on Tuesday unsealed the seizure warrant, and Ms. Monaco said recovered funds would be returned to victims.

“This approach attacks malicious cyber activity from all angles,” Ms. Monaco said during a speech at the International Conference on Cyber Security at Fordham Law School in New York.

Likening the approach to that used for decades to combat terrorism, Ms. Monaco said the focus on disrupting cyberattacks “puts prevention first, takes a victim-centered approach, uses all the tools at our disposal, and focuses on the reporting we receive from private-sector companies, to maximize our ability to take down bad actors—and prevent the next victim.”

U.S. government agencies warned earlier this month in a technical alert that North Korean hackers were targeting hospitals with ransomware strikes, a kind of attack that has more often been linked to criminal hacking groups based in Russia and Eastern Europe. Officials have said North Korea’s regime relies on various forms of hacking to evade sanctions and support investment in its nuclear weapons program.

North Korea has routinely denied U.S. and other Western allegations that it targets other countries with cyberattacks. The North Korean mission to the United Nations didn’t respond to a request for comment.

One of the victims of the campaign—which used a never-before-seen strain of ransomware dubbed Maui—was a Kansas medical facility, Ms. Monaco said, though she didn’t identify it by name. The facility suffered a breach last year in which hackers encrypted the hospital’s servers that were used to store critical data and operate equipment, leaving a ransom note behind and threatening to double the monetary demands within 48 hours, Ms. Monaco said.

Using investigative tools to track crypto-based payments, law-enforcement officials were able to identify China-based money launderers who regularly help North Korean hackers cash out ransom payments into fiat currency, Ms. Monaco said. Additional analysis of blockchain data revealed those accounts held other ransom payments, allowing the Federal Bureau of Investigation to trace the hackers to another medical provider in Colorado as well as potential overseas victims.

The work led to the recovery of the Kansas victim’s ransom and some of the other payments that were discovered, Ms. Monaco said. She didn’t specify how much the hackers had allegedly stolen in total from medical and public-health facilities.

Ransomware more broadly was labeled a top national security threat by President Biden and other senior officials after a Russian-language criminal cyber group attacked Colonial Pipeline last year, leading to the dayslong disabling of the largest conduit of fuel on the U.S. East Coast.

Hospitals and other medical facilities have in recent years become a more tempting target for ransomware criminals, according to officials and private-sector cybersecurity experts, because they are eager to restore life-or-death services and are seen as likely to pay ransoms as a result.

The Kansas hospital attacked last year by the alleged North Korean hackers “faced an impossible choice—give in to the ransom demand or cripple the ability of the doctors and nurses to provide critical care,” Ms. Monaco said. “Left with no real choice, the hospital’s leadership paid the ransom.”

She didn’t identify the size of the ransom paid, but cybersecurity experts who track ransomware have said such sums can often total into the millions of dollars.

Ms. Monaco listed other examples in her speech in which authorities have targeted suspected nation-state hackers with disruptive operations, including an alleged botnet operated by Russian intelligence that was taken down earlier this year before it could be weaponized against Ukraine.

“Each of these actions underscore our clear message to cybercriminals or nation states: if you target the American people, our small businesses, our hospitals, our critical infrastructure—the Justice Department will target you,” Ms. Monaco said.

Speaking later at the same conference, FBI Director Chris Wray and Gen. Paul Nakasone, who leads the National Security Agency and U.S. Cyber Command, said the ransomware campaign reflected Pyongyang’s priority to use cyberattacks to earn cash.

“North Korea, in many ways, is a cyber-criminal syndicate posing as a nation-state,” Mr. Wray said. Mr. Nakasone added that North Korea hasn’t demonstrated itself as a threat to U.S. elections the way other adversaries—namely Russia, Iran or China—have in past election cycles.

North Korea would be a threat “if they could generate revenue from it,” Gen. Nakasone said.

Write to Dustin Volz at

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Leave a Reply

Your email address will not be published. Required fields are marked *