The U.S. Department of Justice (DoJ) on Wednesday indicted three suspected North Korean hackers for allegedly conspiring to steal and extort over $1.3 billion in cash and cryptocurrencies from financial institutions and businesses.
The three defendants — Jon Chang Hyok, Kim Il, and Park Jin Hyok — are said to be members of the Reconnaissance General Bureau, a military intelligence division of North Korea, also known as the Lazarus group, Hidden Cobra, or Advanced Persistent Threat 38 (APT 38).
Accusing them of creating and deploying multiple malicious cryptocurrency applications, developing and fraudulently marketing a blockchain platform, the indictment expands on the 2018 charges brought against Park, one of the alleged nation-state hackers previously charged in connection with the 2014 cyberattack on Sony Pictures Entertainment.
A Wide-Ranging Scheme to Commit Cyberattacks and Financial Crimes
“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John C. Demers of the Justice Department’s National Security Division.
“The Department will continue to confront malicious nation state cyber activity with our unique tools and work with our fellow agencies and the family of norms abiding nations to do the same.”
The latest indictment is yet another sign of how the Lazarus Group relies on cyber cryptocurrency heists and cybertheft against businesses and critical infrastructure in order to fund a country that’s been heavily hit by economic sanctions.
The group, which earned a place in the U.S. government’s sanctions list in 2019, has been linked into a wide array of criminal cyber activities, both in the U.S. and abroad, including the destructive WannaCry ransomware outbreak of 2017, the SWIFT attacks on banks and ATM networks to steal more than $1.2 billion, conducting spear-phishing campaigns, and carrying out cryptocurrency thefts amounting to at least $112 million.
Interestingly, the indictment also details the defendants’ plans to create their own crypto-token called Marine Chain in 2017-18, which would let users purchase stakes in shipping vessels, but in reality, was a money-making initiative aimed at secretly obtaining funds for the government while evading international sanctions.
“AppleJeus” Backdoor to Steal Cryptocurrency
Also undertaken by the conspiracy is a scheme that involved creating malicious applications that masqueraded as legitimate cryptocurrency trading platforms, only to use them as a backdoor to transfer money to their accounts fraudulently.
Calling the backdoor “AppleJeus,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said it discovered at least seven different versions of the malware since 2018, with the Lazarus Group banking on a mix of phishing, social networking, and social engineering techniques as initial infection vectors to trick users into downloading it.
The rogue applications identified by CISA comprises of Ants2Whale, Celas Trade Pro, CoinGo Trade, CryptoNeuro Trader, Dorusio, iCryptoFx, Kupay Wallet, Union Crypto Trader, and WorldBit-Bot.
Energy, finance, government, industry, technology, and telecommunications sectors were the prominent focus of the attacks, the agency detailed, adding AppleJeus targets both Windows and Mac operating systems, echoing a previous August 2018 report from cybersecurity firm Kaspersky.
Canadian-American Citizen Charged for Money Laundering
U.S. prosecutors said the three men were stationed by the North Korean government in other countries such as China and Russia with the goal of furthering the strategic and financial interests of the Kim Jong Un-led regime. The DoJ, however, did not elaborate on whether threat actors from either country collaborated with the North Korean operatives on these attacks.
In a related development, the U.S. Federal Bureau of Investigation (FBI) obtained warrants to seize cryptocurrencies totaling approximately $1.9 million that were allegedly plundered from an unnamed financial services company in New York and held at two cryptocurrency exchanges.
A second case that was also unsealed yesterday concerned a Canadian-American citizen named Ghaleb Alaumary, who pled guilty in a money-laundering scheme and admitted to carrying out ATM “cash-out” operations and a cyber-enabled bank heist orchestrated by North Korean hackers.
Although the individuals are unlikely to be extradited and brought to trial, Jon, Kim, and Park are charged with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud and bank fraud. Alaumary has been charged with one count of conspiracy to commit money laundering, which carries a maximum sentence of 20 years in prison.
“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” said Acting U.S. Attorney Tracy L. Wilkison for the Central District of California. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”