The Department of Justice has unsealed an indictment against three members of Lazarus Group for a wide range of financially-motivated hacks against private businesses that authorities said were designed to steal $1.3 billion in currency and cryptocurrency and further other strategic interests for the North Korean government.
The charges captures years-worth of North Korean hacking, including the widely publicized 2014 Sony hack, the 2016 hack of the Central Bank of Bangladesh, the 2017 WannaCry ransomware attack and others.
In an indictment filed in the Central District of California Court, Justice officials allege that Jon Chang Hyok, Park Jin Hyok and Kim Il are members of the North Korean Reconnaissance General Bureau who conducted a series of computer intrusions using personas and spear-phishing techniques designed to imitate cryptocurrency investment schemes in order to get the victims to download malware.
The group’s activities were both “revenge and financially motivated,” sometimes destroying computer systems or deploying ransomware on victim devices. Park was already charged in 2018 for the WannaCry attacks, and the indictment expands charges against him for other hacking campaigns.
“The department’s criminal charges are uniquely credible forms of attribution — we can prove these allegations beyond a reasonable doubt using only unclassified, admissible evidence,” said John Demers, Assistant Attorney General for National Security in a call with reporters. “And they are the only way in which the department speaks. If the choice here is between remaining silent while we at the department watch nations engage in malicious, norms-violating cyber activity, or charges these cases, the choice is obvious — we will charge them.”
Law enforcement officials said the group has also targeted more than $1.2 billion in funds from banks across four continents since 2018 through cryptocurrency heists, ATM cash outs and developed new forms of malware. They also charged a Canadian national for facilitating tens of millions of dollars in money laundering schemes. U.S. authorities said they are the in process of seizing and in some cases returning millions of dollars in stolen funds to victim organizations.
“The Indictment contains significant allegations about the development and spread of a series of malicious applications, purportedly for trading and storing cryptocurrency but which were actually designed to give the North Koreans a backdoor into computer systems…some of which were still developed only a few months ago,” said Tracy Wilkison, Acting U.S. Attorney for the Central District of California.
The Cybersecurity and Infrastructure Security Agency, FBI and Department of Treasury also released a joint advisory and analysis of multiple variants of malware, called AppleJeus, that the North Koreans used as a trojanized version of software designed to impersonate a legitimate cryptocurrency trading company and target Windows and Mac operating systems. The advisory contains technical analysis as well as indicators of compromise that security teams can use to detect the malware.
“This advisory will provide the financial sector and the cybersecurity community with a detailed picture of North Korean threat capability that will assist cyber defenders in multiple sectors in identifying and mitigating this active threat, further demonstrating the value of interagency partnerships in combating cybercrime and malicious nation-state actor activity,” said Paul Neff, Director of Cyber Policy, Preparedness and Response in the Office of Cybersecurity and Critical infrastructure Protection at Treasury in a statement.