DOJ Charges Two More North Korean Hackers in Global Attacks
The Department of Justice this week peeled back more layers on the North Korean military hacking unit Lazarus Group and its longtime cybercrime spree.
The United States on Wednesday brought more charges against North Korean military hackers, unsealing an indictment that accused three computer programmers of attempting to steal more than $1.3 billion in cash and cryptocurrency.
The indictment keys into actions taken over the years by the Democratic People's Republic of Korea's (DPRK) Reconnaissance General Bureau, or RGB unit.
While the charges may not amount to much – the hackers are unlikely to see the inside of a court room, let alone ever set foot on US soil - the move helps uncovers another link in a very long chain of cybercrime activity perpetrated by the country.
The indictment itself is built on charges brought in 2018 against hackers connected to the 2014 cyberattack on Sony Pictures Entertainment. the 2016 cyber heist of $81 million from Bangladesh Bank, and WannaCry, the large ransomware outbreak of 2017. That indictment only named one individual, Park Jin Hyok, a North Korean who the DOJ said worked for Lazarus Group, a government-sponsored hacking team that’s part of the RGB unit. Lazarus Group, and two of its offshoot units, BlueNorOff and AndAriel, were sanctioned by the Treasury Department back in 2019 for targeting U.S. critical infrastructure, along with government, military, financial, manufacturing, publishing, media, entertainment, and international shipping companies.
This week's charges names two additional members of RGB, Jon Chang Hyok and Kim Il, in connection to the hacks, spear-phishing campaigns, attacks on cryptocurrency companies, and million-dollar - sometimes billion-dollar cyberattack attempts - against banks.
Also new this week is news that a Canadian-American citizen, Ghaleb Alaumary, is scheduled to plead guilty in a money laundering scheme connected to some of these campaigns, namely ATM cash-out schemes in Pakistan and India and a cyberattack on a bank in Malta. Alaumary agreed to plead guilty last November; he's also being prosecuted for his role in another scam - a business email compromise - by the U.S. Attorney's Office for the Southern District of Georgia
While the RGB hackers attempted to steal upwards of $1.3 billion, mostly through banks via SWIFT (Society for Worldwide Interbank Financial Telecommunication) messages, they weren't entirely successful. According to the Washington Post, the hackers managed to steal at least $190 million over the years, although the prosecutors wouldn't give an exact figure.
Much of these funds, as we learned Wednesday, are derived from cryptocurrency. Per the indictment, the hackers targeted hundreds of cryptocurrency companies in over 30 countries for years. From December 2017 to August 2020, the hackers hit three companies - two cryptocurrency companies in Slovenia and Indonesia, and a financial services company in New York - to the tune of $111.7 million. The hackers also compromised cryptocurrency trader applications, something which gave them a backdoor into victims' machines.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) released a joint alert around North Korean government activity, long referred to as HIDDEN COBRA, this week. The alert digs into the malware it uses to steal cryptocurrency, AppleJeus, which looks legitimate and has existed since 2018. It also provides technical information, like an analysis of its payload, an ATT&CK profile of the techniques observed in relation to its activity, and mitigations.
The DPRK has ratcheted up its usage of cybercrime to generate cryptocurrency over the years. The U.S. Department of Justice filed a civil forfeiture in August last year against 280 cryptocurrency accounts used by hackers and accomplices to launder $250 million. That followed up sanctions on two Chinese nationals in March last year for their role in laundering stolen Bitcoin and other currency for the DPRK.
It's clear that North Korea, which is essentially barred from participating in the international finance system, has built an alternative one that allows it to evade international sanctions.
Referencing a confidential United Nations report, CNN reported last week that North Korean hackers stole $316.4 million from financial institutions and virtual currency houses between 2019 and November 2020, largely to pay for the country's nuclear and ballistic missile programs.
While the $190 million figure and the $316 millon figure are obviously less substantial than the $1.3 billion figure, they – and how the country has geared its cyber operations around cryptocurrency platforms – are further proof of how far the country is willing to go to fund its objectives and in turn, its military actions.