The U.S. Department of Justice has indicted three North Korean computer programmers for their alleged participation in widespread, destructive cyberattacks as part of the advanced persistent threat (APT) known as Lazarus Group. The indictment broadens the scope of crimes that the DoJ has linked to Lazarus Group (and by extension, to North Korea).
The feds also announced that an alleged Lazarus Group accomplice, a Canadian-American citizen now in custody, is planning to plead guilty to money laundering.
The three main suspects, all for now believed by the FBI to be residing in North Korea and remaining beyond the range of U.S. law enforcement, are wanted in connection with a range of alleged crimes. These include the 2017 WannaCry cyberattacks; the 2014 data breach of Sony Pictures Entertainment; stealing and extorting more than $1.3 billion of money and cryptocurrency from financial institutions and companies; creating espionage-focused malware; and developing and fraudulently marketing a blockchain platform that was also used for espionage.
The hacking indictment filed in the U.S. District Court in Los Angeles, unsealed Wednesdaty, alleges that Jon Chang Hyok, Kim Il, and Park Jin Hyok are all members of the Reconnaissance General Bureau (RGB), the military intelligence agency of the Democratic People’s Republic of Korea (DPRK). It alleges that specifically, the three are members of a well-known RGB arm tasked with cybercrime, known as Lazarus Group or APT38.
Park was previously charged in a U.S. criminal complaint unsealed in September 2018, wherein the feds charged him in the hacking of Sony Pictures, WannaCry and also the costly 2016 SWIFT attack on the Bangladesh central bank.
“Today’s unsealed indictment expands upon the FBI’s 2018 charges for the unprecedented cyberattacks conducted by the North Korean regime,” said the FBI Deputy Director Paul Abbate. “The ongoing targeting, compromise, and cyber-enabled theft by North Korea from global victims was met with the outstanding, persistent investigative efforts of the FBI in close collaboration with U.S. and foreign partners.”
Alleged Lazarus Group Crimes
The indictment alleges that the three and Lazarus Group in general was behind a broad array of criminal cyberactivities. Here’s a rundown:
Sony Pictures Entertainment Hack, 2014. In retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader, the hacking of Sony Pictures and AMC Theatres. The DoJ also said they were suspected to be involved in the 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
Cyber-Enabled SWIFT Bank Heists, 2015-2019. Attempts from to steal more than $1.2 billion from banks in African nations, Bangladesh, Malta, Mexico and Taiwan, by hacking the banks’ internal SWIFT communications, used for intra-bank transfers.
Spear-Phishing Campaigns, 2016-2020. Multiple spear-phishing campaigns targeting U.S. aerospace companies, defense contractors, energy companies, technology companies, the U.S. Department of Defense and the U.S. Department of State.
Marine Chain Token and ICO, 2017-2018. Development and marketing of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.
Ransomware and Cyber-Enabled Extortion, 2017-2020. Creation of the destructive WannaCry 2.0 ransomware in May 2017, and ongoing ransomware attacks through last year involving the theft of sensitive data.
Cryptocurrency Heists, 2017-2020: Targeting of hundreds of cryptocurrency companies, including stealing $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August, in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
Cyber-Enabled ATM Cash-Out Thefts, 2018. Thefts through ATM cash-out schemes – including $6.1 million stolen from BankIslami Pakistan Limited (BankIslami).
Malicious Cryptocurrency Applications, 2018-2020. Development of fake cryptocurrency applications from March 2018 through at least last September, which were actually backdoors for espionage.
This “AppleJeus” family of malware includes applications called Ants2Whale, Celas Trade Pro, CoinGo Trade, CryptoNeuro Trader, Dorusio, iCryptoFx, Kupay Wallet, Union Crypto Trader and WorldBit-Bot.
“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John Demers of the Justice Department’s National Security Division, in a statement issued on Wednesday. “The Department will continue to confront malicious nation state cyber activity with our unique tools and work with our fellow agencies and the family of norms abiding nations to do the same.”
In addition to the criminal charges, the U.S. Attorney’s Office and FBI also obtained seizure warrants authorizing the FBI to seize $1.9 million in cryptocurrency stolen by the perpetrators belonging to a financial services company in New York. The money is held at two cryptocurrency exchanges.
An Accomplice Pleads Guilty
Meanwhile, a Canadian-American citizen has agreed to plead guilty in a case filed in District Court in Los Angeles, in conjunction with the ATM cash-out operations and a cyber-enabled bank heist. Ghaleb Alaumary of Mississauga, Ontario admitted that he played a role as a money launderer for the North Korean APT.
“Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes and other online fraud schemes,” according to the indictment. “Alaumary organized teams of co-conspirators in the United States and Canada to launder millions of dollars obtained through ATM cash-out operations, including from BankIslami and a bank in India in 2018.”
The indictment also accuses Alaumary of conspiring with Ramon Olorunwa Abbas, a.k.a. “Ray Hushpuppi,” and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019. Last summer, the U.S. Attorney’s Office in Los Angeles charged Abbas in a separate case alleging that he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.
Alaumary has agreed to plead guilty to one count of conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison.
North Korean Hackers Still at Large
Jon, Kim, and Park are charged with one count each of conspiracy to commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud and bank fraud, which carries a maximum sentence of 30 years in prison.
They remain at large and all three are believed to be in North Korea, according to the FBI.
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.