lolloj - Fotolia

North Korean Lazarus Group hackers indicted in US

Charges filed relate to Lazarus Group’s long-running cyber crime spree, including financial theft and extortion, WannaCry malware and the cyber attack on Sony Pictures

The US Department of Justice (DoJ) has indicted three North Korean (DPRK) military personnel with participating in a staggering and wide-ranging criminal conspiracy that has included destructive cyber attacks, the theft and extortion of over $1.3bn worth of money and cryptocurrency using multiple malicious cryptocurrency applications, and the development and fraudulent marketing of a blockchain platform.

In a second case unsealed today, a joint Canadian-US citizen has agreed to plead guilty to related money laundering charges and admitted working as a high-level facilitator for multiple schemes, including a North Korean cyber bank heist.

“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said assistant attorney general John Demers of the DoJ’s National Security Division. “The department will continue to confront malicious nation-state cyber activity with our unique tools and work with our fellow agencies and the family of norms abiding nations to do the same,” he added.

“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” said acting US attorney Tracy Wilkison for the Central District of California. “The conduct detailed in the indictment are the acts of a criminal nation state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”

The indictment, filed at the US District Court in Los Angeles, expands on previous charges levied by the FBI in 2018. FBI deputy director Paul Abbate praised the agency’s efforts, which were conducted in close collaboration with US agencies and foreign partners in an effort to hold North Korea accountable for its cyber crimes.

“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers”
John Demers, US DoJ

The three named individuals, Jon Chang-Hyok (31), Kim Il (27) and Park Jin-Hyok (36), are alleged to be members of units of North Korea’s Reconnaissance General Bureau (RGB), which goes by many other names in the security community, perhaps most notably Lazarus Group, but also APT38.

Their schemes include the November 2014 attack on Sony Pictures Entertainment, conducted in revenge for the release of the Seth Rogen and Evan Goldberg movie The Interview, which depicted the assassination of North Korea’s leader; attacks on US cinema chain AMC Theatres; and a subsequent 2015 attack on Mammoth Screen, the production company behind Poldark, which was planning an unmade Channel 4 drama set in North Korea.

The trio also attempted to steal over $1.2bn from banks in Africa, Bangladesh, Malta, Mexico and Vietnam by hacking into their networks and sending fraudulent messages through the Society for Worldwide Interbank Financial Telecommunication (Swift), as well as a number of cyber-enabled ATM cash-out thefts, including the October 2018 theft of $6.1m from BankIslami in Pakistan.

They are further implicated in the creation of the destructive WannaCry 2.0 ransomware in May 2017, which disrupted services at one-third of NHS trusts and resulted in more than 19,000 GP appointments being cancelled, costing the health service over £90m, as well as the extortion of other victims from 2017 through 2020. The US Cybersecurity and Infrastructure Security Agency (CISA) has additionally published a new advisory today on the malware used.

The group also created and deployed a number of malicious cryptocurrency applications between March 2018 and September 2020 that were, in fact, backdoors into their victims’ computers, and targeted and stole tens of millions of dollars’ worth of cryptocurrency. In addition, it developed and marketed a blockchain-supported investment vehicle that ostensibly was designed to allow investors to buy interests in marine shipping vessels, but was, in fact, a means for the North Korean government to obtain funding, control its own merchant marine and evade international sanctions.

CISA has additionally published a new advisory today on the malware used in the Lazarus Group’s crypto-heists, referred to as AppleJeus.

All three men are alleged to have been, at times, stationed in other countries, including China and Russia. They have been charged with one count of conspiracy to commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud and bank fraud, which carries a maximum sentence of 30 years in prison.

As is standard in such cases, these charges are accusations, and the standard caveats around the presumption of innocence until proven guilty apply.

The other charges – against Ghaleb Alaumary, 37, a resident of Mississauga, a suburb of Toronto in Canada – relate to money laundering ATM cash-out thefts, other cyber-heists, business email compromise (BEC) schemes, and other fraudulent activity. Alaumary was specifically involved in the raid on Pakistan’s BankIslami and other heists against targets in Malta. He conspired in this last instance with Ramon Olorunwa Abbas, aka Ray Hushpuppi, who was charged in a previous BEC indictment. As previously stated, Alaumary has agreed to plead guilty to a count of conspiracy to commit money laundering.

Further to the charges and new security advisory announced today, the US Attorney’s Office and the FBI have also obtained seizure warrants authorising the FBI to take back cryptocurrency stolen by Lazarus Group from a New York-based financial services company to the tune of $1.9m.

“The European Union’s July 2020 sanctions related to the Lazarus Group were a welcome development. We commend the EU for its initial efforts to impose consequences for state-sponsored malicious cyber activities”
John Demers, US DoJ

“The allegations in today’s indictment inform and empower the international community so that they can not only join us in condemning this activity, but also help stop it,” said the US DoJ’s Demers.

“In that regard, the European Union’s [EU] July 2020 sanctions related to the Lazarus Group were a welcome development. We commend the EU for its initial efforts to impose consequences for state-sponsored malicious cyber activities.

“However, other nations that wish to be regarded as responsible actors on the international stage must also step up. These conspirators described in today’s indictment are alleged to have been working, at times, from locations in China and Russia.

“The DPRK has also utilised Chinese over-the-counter cryptocurrency traders and other criminal networks to launder the funds. Just as the US has disrupted the DPRK’s crime spree through arrests, forfeitures and seizures, the time is ripe for Russia and China, as well as any other country whose entities or nationals play a role in the DPRK revenue-generation efforts, to take action,” he said.

Read more about North Korean cyber attacks

  • South Korean intelligence pins a recent attack on Pfizer, targeting information on coronavirus vaccines, on its neighbour.
  • The Magecart credit card skimmer found on the website of retailer Claire’s Accessories was likely put there by the Lazarus or Hidden Cobra North Korean APT group, reports Sansec.
  • The Asia-Pacific region was a primary target of advanced persistent threat groups, mostly from China, Iran, North Korea and Russia, that carried out 34 campaigns between June 2019 to June 2020.

Next Steps

Nation-state hacker indictments: Do they help or hinder?

Read more on Hackers and cybercrime prevention