In late 2021, news of a critical security flaw in a common piece of computer code swept the globe. This software vulnerability, known as Log4Shell, gave hackers easy access to numerous applications and online services. Reports of cyber espionage surged as bad actors, including foreign governments, exploited Log4Shell to take control of computer networks, leak highly sensitive information, and hold systems for ransom.
One culprit was North Korea’s primary military intelligence agency, the Reconnaissance General Bureau (RGB). Together with law enforcement partners, the NASA Office of Inspector General (OIG) embarked on a high-stakes national security investigation—which led to the indictment of a notorious RGB hacker who leveraged Log4Shell to compromise international government and military organizations.
The Cyber Crimes Division (CCD) within NASA OIG’s Office of Investigations pursues those who threaten government information systems via computer intrusions, website defacements, data theft, malware, and more. CCD also conducts digital forensic examinations, data analysis, data recovery, and other support services. In the last 5 years alone, CCD has initiated over 150 cases, recovering nearly $5 million and leading to 18 criminal indictments.
CCD’s investigation into a Log4Shell compromise at NASA began in early 2022, as the Cybersecurity and Infrastructure Security Agency urged organizations to immediately identify and patch potential vulnerabilities. CCD investigators are experts at probing the circumstances surrounding security compromises to track down wrongdoers. They conduct forensic examinations on affected devices, using clues to trace a cybercriminal’s digital path through the network. Along the way, they search for any data that may have been extracted and transferred to external systems.
In this particular case, investigators retraced the hacker’s steps by sifting through and reordering thousands of snapshots depicting the computer commands used to overtake victims’ operating systems. In doing so, CCD pinpointed a password that allowed them to unlock the encrypted file that the hackers were using to steal data. Once investigators unsealed this secret file, they could see the data that hackers were attempting to exfiltrate.
The malware that the cybercriminals used, dubbed “Maui,” was unlike any malicious code documented in public cybersecurity databases. CCD shared their in-depth analysis with colleagues at the Department of Defense and Federal Bureau of Investigation (FBI), who determined that the hacking tactics pointed to a well-known cyber unit within North Korea’s RGB. This cyber unit, commonly called Andariel, is known by multiple names, including Onyx Sleet, Silent Chollima, and Stonefly. Back in 2019, the Department of the Treasury sanctioned Andariel for its malicious cyber operations affecting foreign businesses, government agencies, financial services, private corporations, and the defense industry.
The FBI is aware of at least one Andariel member who has played a role in this litany of cybercrimes: a North Korean national named Rim Jong Hyok. Based on the information gathered by NASA OIG and law enforcement partners, the FBI and United States Attorney’s Office indicted Rim in July 2024 for his involvement in the Log4Shell hacking and extortion conspiracy.
From roughly May 2021 to April 2023, Rim used Maui and similar ransomware to take advantage of Log4Shell and access critical US infrastructure, including hospitals and healthcare companies. He and his co-conspirators would encrypt the files on computers used for medical testing and records. Victims would then receive an electronic ransom note demanding a Bitcoin payment to regain access to their files.
The RGB hackers used the proceeds from these cyber raids to purchase additional internet servers that allowed them to extract data from government agencies, US military bases, defense contractors, and other entities across South Korea, Taiwan, and China. They stole terabytes of information related to government employees, military aircraft, and intellectual property, as well as maritime and uranium processing projects.
When Rim was indicted in July 2024, the US government had already seized over $600,000 of virtual currency proceeds from the ransomware attacks and related money laundering transactions by Rim and his co-conspirators. Rim remains at large and there is a federal warrant for his arrest. The Department of State is offering up to $10 million for information leading to his location and identification.
“Federal law enforcement agencies play an indispensable role in protecting our national infrastructure from increasingly sophisticated cyber threats that require technical expertise, persistence, and cross-agency collaboration to combat,” said Ryan Pittman, the Special Agent in Charge of CCD. “CCD’s response in this case demonstrated how federal investigators can rapidly mobilize to address critical cybersecurity incidents, help government entities protect vulnerable systems, investigate potential breaches before they escalate into catastrophic data losses, and hold wrongdoers accountable for their crimes.”
To this day, the FBI continues to probe Andariel’s hacking and money laundering schemes. CCD’s award-winning forensic analysis provided crucial information that will continue to inform investigations into the RGB for years to come—safeguarding against malicious cyberattacks and bolstering national security.
If you suspect fraud or misconduct at NASA or its programs, contact OIG investigators via the hotline.