Threat Management, Threat Management, Threat Management, Threat Intelligence

Three North Korean hackers charged for financial and revenge-motivated hacks

First Assistant U.S. Attorney Tracy Wilkison announces in 2018 charges against a North Korean national in a range of cyberattacks, including the cyberattack against Sony Pictures in 2014, and the WannaCry 2.0 ransomware attack in 2016. The FBI is working closely with the private sector to respond to the explosion of ransomware attacks. (Mario Tama/...

The Department of Justice has unsealed an indictment against three members of Lazarus Group for a wide range of financially-motivated hacks against private businesses that authorities said were designed to steal $1.3 billion in currency and cryptocurrency and further other strategic interests for the North Korean government.

The charges captures years-worth of North Korean hacking, including the widely publicized 2014 Sony hack, the 2016 hack of the Central Bank of Bangladesh, the 2017 WannaCry ransomware attack and others.

In an indictment filed in the Central District of California Court, Justice officials allege that Jon Chang Hyok, Park Jin Hyok and Kim Il are members of the North Korean Reconnaissance General Bureau who conducted a series of computer intrusions using personas and spear-phishing techniques designed to imitate cryptocurrency investment schemes in order to get the victims to download malware.

The group’s activities were both “revenge and financially motivated,” sometimes destroying computer systems or deploying ransomware on victim devices. Park was already charged in 2018 for the WannaCry attacks, and the indictment expands charges against him for other hacking campaigns.

“The department’s criminal charges are uniquely credible forms of attribution — we can prove these allegations beyond a reasonable doubt using only unclassified, admissible evidence,” said John Demers, Assistant Attorney General for National Security in a call with reporters. “And they are the only way in which the department speaks. If the choice here is between remaining silent while we at the department watch nations engage in malicious, norms-violating cyber activity, or charges these cases, the choice is obvious — we will charge them.”

Law enforcement officials said the group has also targeted more than $1.2 billion in funds from banks across four continents since 2018 through cryptocurrency heists, ATM cash outs and developed new forms of malware. They also charged a Canadian national for facilitating tens of millions of dollars in money laundering schemes. U.S. authorities said they are the in process of seizing and in some cases returning millions of dollars in stolen funds to victim organizations.

“The Indictment contains significant allegations about the development and spread of a series of malicious applications, purportedly for trading and storing cryptocurrency but which were actually designed to give the North Koreans a backdoor into computer systems…some of which were still developed only a few months ago,” said Tracy Wilkison, Acting U.S. Attorney for the Central District of California.

The Cybersecurity and Infrastructure Security Agency, FBI and Department of Treasury also released a joint advisory and analysis of multiple variants of malware, called AppleJeus, that the North Koreans used as a trojanized version of software designed to impersonate a legitimate cryptocurrency trading company and target Windows and Mac operating systems. The advisory contains technical analysis as well as indicators of compromise that security teams can use to detect the malware.

“This advisory will provide the financial sector and the cybersecurity community with a detailed picture of North Korean threat capability that will assist cyber defenders in multiple sectors in identifying and mitigating this active threat, further demonstrating the value of interagency partnerships in combating cybercrime and malicious nation-state actor activity,” said Paul Neff, Director of Cyber Policy, Preparedness and Response in the Office of Cybersecurity and Critical infrastructure Protection at Treasury in a statement.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.