Category: MIL-OSI

Source: United States Department of Justice Criminal Division

On July 18, the U.S. District Court for the District of Maryland entered default judgments for the United States totaling $26,341,951.38 against Patrick Britton-Harr and multiple laboratory companies owned by him for violations of the False Claims Act. The court entered these judgments after Britton-Harr and his companies failed to defend against the United States’ allegations.

In its complaint, filed on July 18, 2023, the United States alleged that Patrick Britton-Harr owned and operated Provista Health, LLC as well as multiple other corporate entities that sought to profit from the unfolding COVID-19 pandemic by offering COVID-19 tests to nursing homes as a way to bill Medicare for a wide array of medically unnecessary respiratory pathogen panel (RPP) tests. The complaint alleged that these RPP tests were not medically necessary because the beneficiaries had no symptoms of a respiratory illness and because the tests were for uncommon respiratory pathogens.

The complaint also alleged that Britton-Harr and Provista Health submitted claims for RPP tests that were never ordered by physicians and sometimes for RPP tests that were never performed, including over 300 claims that stated that the nasal swab test sample was supposedly collected from the beneficiary on a date after the beneficiary had died. 

Also on July 18, 2023, the United States filed an application for prejudgment remedies under the Federal Debt Collection Procedures Act seeking to attach and garnish certain financial assets of Britton-Harr and to obtain financial discovery from him to help ensure funds would be available to satisfy a judgment in favor of the United States. Despite a court order prohibiting Britton-Harr from selling his house in Annapolis without approval from the court, he sold the house on Sept. 23, 2023, for $575,000 and dissipated the financial proceeds from the sale. On March 4, the court granted the United States’ motion to hold Britton-Harr in civil contempt for violating this order and ordered him to deposit $575,000 with the court’s registry.

“The Justice Department remains committed to holding accountable individuals and entities who took advantage of the COVID-19 pandemic to defraud the American taxpayers,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “We will continue to pursue those who attempt to thwart justice by ignoring lawsuits, dissipating assets and violating court orders.”

“The exploitation of federal health care programs designed to help the elderly and disabled during a national crisis is absolutely inexcusable,” said U.S. Attorney Erek L. Barron for the District of Maryland. “Regardless their methods, we will hold accountable those who defraud such programs for personal gain.” 

“It’s clear that Patrick Britton-Harr thought he could defraud the government by taking advantage of a global pandemic and never face the consequences. The extent of his fraud and abuse is astounding. He took critical resources away from our healthcare system and cost taxpayers their hard-earned money,” said Special Agent in Charge William J. DelBagno of the FBI Baltimore Field Office. “This investigation proves the FBI and our federal partners will continue to investigate and bring fraudsters like Britton-Harr to justice no matter how long it takes.”

“Taking advantage of Medicare beneficiaries and the COVID-19 pandemic to line companies’ pockets is unacceptable,” said Special Agent in Charge Maureen Dixon of the Department of Health and Human Services Office of the Inspector General (HHS-OIG). “HHS-OIG, the Justice Department and our other law enforcement partners work tirelessly to ensure that only legitimate products and services actually provided will be paid for by federal health insurance programs.”

The United States’ pursuit of this lawsuit illustrates the government’s emphasis on combating healthcare fraud. One of the most powerful tools in this effort is the False Claims Act. Tips and complaints from all sources about potential fraud, waste, abuse and mismanagement can be reported to HHS at 800‑HHS‑TIPS (800-447-8477).  

The Civil Division’s Commercial Litigation Branch, Fraud Section, and the U.S. Attorney’s Office for the District of Maryland handled the matter.

HHS-OIG and the FBI are providing investigative support.

Trial Attorneys Jonathan Hoerner and Vincent Vaccarella of the Civil Division’s Fraud Section and Assistant U.S. Attorney/Deputy Civil Chief Tarra DeShields for the District of Maryland are handling the case.

Source: United States Department of Justice Criminal Division

Note: View the indictment here and view cryptocurrency seizure affidavit here.

A grand jury in Kansas City, Kansas, returned an indictment on Wednesday charging North Korean national Rim Jong Hyok for his involvement in a conspiracy to hack and extort U.S. hospitals and other health care providers, launder the ransom proceeds, and then use these proceeds to fund additional computer intrusions into defense, technology, and government entities worldwide. Their ransomware attacks prevented victim health care providers from providing full and timely care to patients.

“Two years ago, the Justice Department disrupted the North Korean group using Maui ransomware to hold hostage U.S. hospitals and health care providers,” said Deputy Attorney General Lisa Monaco. “Today’s criminal charges against one of those alleged North Korean operatives demonstrates that we will be relentless against malicious cyber actors targeting our critical infrastructure. This latest action, in collaboration with our partners in the U.S. and overseas, makes clear that we will continue to deploy all the tools at our disposal to disrupt ransomware attacks, hold those responsible to account, and place victims first.”

“Rim Jong Hyok and his co-conspirators deployed ransomware to extort U.S. hospitals and health care companies, then laundered the proceeds to help fund North Korea’s illicit activities,” said Deputy Director Paul Abbate of the FBI. “These unacceptable and unlawful actions placed innocent lives at risk. The FBI and our partners will leverage every tool available to neutralize criminal actors and protect American citizens.”

“North Korean hackers developed custom tools to target and extort U.S. health care providers and used their ill-gotten gains to fund a spree of hacks into government, technology, and defense entities worldwide, all while laundering money through China,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division. “The indictment, seizures, and other actions announced today demonstrate the Department’s resolve to hold these malicious actors accountable, impose costs on the North Korean cyber program, and help innocent network owners recover their losses and defend themselves.”

“Today’s indictment underscores our commitment to protecting critical infrastructure from malicious actors and the countries that sponsor them,” said U.S. Attorney Kate E. Brubacher for the District of Kansas. “Rim Jong Hyok and those in his trade put people’s lives in jeopardy. They imperil timely, effective treatment for patients and cost hospitals billions of dollars a year. The Justice Department will continue to disrupt nation-state actors and ensure that American systems are protected in the District of Kansas and across our nation.”

“The Air Force Office of Special Investigations (OSI) will continue to work alongside our law enforcement partners to root out malicious actors who seek to degrade the Department of the Air Force’s ability to protect the nation,” said Commander Brigadier General Amy S. Bumgarner of OSI. “Multiple OSI units, including one of our newly established National Security Detachments, which were established to provide counterintelligence, law enforcement and analytical support to protect technology at the earliest stages of advanced research and development, provided support to this investigation.”

“While North Korea uses these types of cybercrimes to circumvent international sanctions and fund its political and military ambitions, the impact of these wanton acts have a direct impact on the citizens of Kansas,” said Special Agent in Charge Stephen A. Cyrus of the FBI Kansas City Field Office. “These actions keep our families from getting the health care they need, slowing the response of our first responders, endangering our critical infrastructure and, ultimately, costing Kansans through ransoms paid, lost productivity, and money spent to rebuild our networks following cyber attacks. Today’s charges prove these cyber actors cannot act with impunity and that malicious actions against the citizens of Kansas and the rest of the United States have severe consequences.”

“The indictment of individuals responsible for breaching U.S. government systems, regardless of their location, demonstrates the dedication of the National Aeronautics and Space Administration Office of Inspector General (NASA-OIG), the Justice Department, and our law enforcement partners to relentlessly investigate, prosecute, and hold accountable those who believe they can operate in the shadows,” said Assistant Inspector General for Investigations Robert Steinau of NASA-OIG.

According to court documents, Rim and his co-conspirators worked for North Korea’s Reconnaissance General Bureau, a military intelligence agency, and are known to the private sector as “Andariel,” “Onyx Sleet,” and “APT45.” Rim and his co-conspirators laundered ransom payments through China-based facilitators and used these proceeds to purchase internet infrastructure, which the co-conspirators then used to hack and exfiltrate sensitive defense and technology information from entities across the globe. Victims of this further hacking include two U.S. Air Force bases, NASA-OIG, and entities located in Taiwan, South Korea, and China. Related Andariel activity has been the subject of private sector reporting, and a cybersecurity advisory with updated technical indicators of compromise was published by the FBI, the National Security Agency, U.S. Cyber Command’s Cyber National Mission Force, the Department of the Treasury, the Department of Defense’s Cyber Crime Center, the Cybersecurity and Infrastructure Security Administration, and South Korean and United Kingdom partners today.

The Justice Department and the FBI are also announcing the interdiction of approximately $114,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions, as well as the seizure of online accounts used by co-conspirators to carry out their malicious cyber activity. The FBI previously seized approximately $500,000 in virtual currency proceeds of ransomware attacks and related money laundering transactions. In addition to these actions, the Department of State announced today a reward offer of up to $10 million for information leading to the location or identification of Rim. The State Department’s Rewards for Justice program has a standing reward offer for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, engages in certain malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act.

Private sector partners are also taking other voluntary actions to limit the spread of Andariel-created malware. In partnership with the Department, Microsoft developed and implemented technical measures to block Andariel actors from accessing victims’ computer networks. Additionally, Mandiant is publishing research today that highlights its unique insights into Andariel’s tactics, techniques, and procedures. These actions by Microsoft and Mandiant were a significant part of the overall effort to secure networks, and they will help cybersecurity practitioners prevent, identify, and mitigate attacks from Andariel actors.

Maui Ransomware and Money Laundering

As alleged in the indictment, Rim worked for North Korea’s Reconnaissance General Bureau (RGB), a military intelligence agency, and participated in the conspiracy to target and hack computer networks of U.S. hospitals and other health care providers, encrypt their electronic files, extort a ransom payment from them, launder those payments, and use the laundered proceeds to hack targets of interest to the North Korean regime.

The Andariel actors used custom malware, developed by the RGB, known as “Maui.” After running the maui.exe program to encrypt a ransomware victim’s computer network, the North Korean co-conspirators would extort the organization by leaving a note with a cryptocurrency address for a ransom payment.

The Andariel actors received ransom payments in a virtual currency and then laundered the payments with the assistance of Hong Kong-based facilitators. In at least one case, these Hong Kong facilitators converted ransom funds from cryptocurrency to Chinese yuan. The yuan was then accessed from an ATM in China in the immediate vicinity of the Sino-Korean Friendship Bridge, which connects Dandong, China, and Sinuiju, North Korea.

Exfiltration of Sensitive Data from Companies and Government Agencies

Rim and his co-conspirators used ransom proceeds to lease virtual private servers that were used to launch attacks against defense, technology, and other organizations, and to steal information from them. Victims of this further hacking included U.S. defense contractors, two U.S. Air Force bases, NASA-OIG, South Korean and Taiwanese defense contractors, and a Chinese energy company. The Andariel actors obtained initial access to victims’ networks by exploiting known vulnerabilities that had not been patched by the victims, including the widespread Log4Shell vulnerability. (Additional tactics, techniques, and procedures are available in the joint cybersecurity advisory released today.) The Andariel actors stole terabytes of information, including unclassified U.S. government employee information, old technical information related to military aircraft, intellectual property, and limited technical information pertaining to maritime and uranium processing projects.

Assistant U.S. Attorneys Ryan Huschka and Chris Oakley for the District of Kansas and Trial Attorneys Neeraj Gupta and George Brown of the National Security Division’s National Security Cyber Section are prosecuting the case.

The FBI continues to investigate Andariel’s hacking and money laundering activities. The Air Force Office of Special Investigations, the Department of Defense Cyber Crime Center, and NASA-OIG provided valuable assistance.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt.

View previous joint cybersecurity advisories from CISA here.

View previous joint cybersecurity advisories from Department of Defense here.

View previous cryptocurrency seizure announcement here.

Source: United States Department of Justice Criminal Division

A federal grand jury in Houston returned an indictment today charging an Indian national with selling and shipping tens of thousands of dollars’ worth of counterfeit oncology pharmaceuticals into the United States.  

According to court documents, Sanjay Kumar, 43, of Bihar, India, and his co-conspirators allegedly arranged for the sale and shipment of fake, counterfeit versions of oncology pharmaceuticals—including Keytruda—to individuals in the United States. Genuine Keytruda is a cancer immunotherapy that is approved in the United States for 19 different indications, including to treat certain types of melanoma, lung cancer, head and neck cancer, Hodgkin lymphoma, gastric cancer, cervical cancer, and breast cancer. Merck Sharp & Dohme LLC, formerly known as Merck Sharp & Dohme Corp., has the exclusive right to authorize the manufacture of Keytruda for introduction into interstate commerce.

Kumar was arrested on June 26 in Houston after traveling to the United States to conduct further negotiations aimed at expanding his business selling fake Keytruda in the U.S. market.

Kumar is charged with one count of conspiracy to traffic in counterfeit drugs and four counts of trafficking in counterfeit drugs. If convicted, he faces a maximum penalty of 20 years in prison on each count.

Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division; U.S. Attorney Alamdar Hamdani for the Southern District of Texas; Special Agent in Charge Mark Dawson of Homeland Security Investigations (HSI) Houston; and Special Agent in Charge Charles Grinstead of the Food and Drug Administration’s (FDA) Office of Criminal Investigations, Kansas City Field Office made the announcement.

HSI and the FDA investigated the case.

Trial Attorneys Jeff Pearlman and Bryce Rosenbower of the Criminal Division’s Computer Crime and Intellectual Property Section and Assistant U.S. Attorney Jay Hileman for the Southern District of Texas are prosecuting the case.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.