The Department of Justice has indicted three North Korean men it alleges were responsible for some of the larger cybercrime operations in history while working as hackers for the DPRK’s military intelligence unit over the last several years. The charges tie the men to a long list of high-profile intrusions and heists, including the attack on Sony Pictures Entertainment, the WannaCry 2.0 campaign, and a number of cryptocurrency thefts.
The indictment is the second in less than three years against one of the men, Park Jin Hyok, who, along with the other two newly charged men, are alleged to be members of the notorious Lazarus Group APT team. That group has been attributed to the Reconnaissance General Bureau, a DPRK intelligence service, and it is believed to be responsible for a long-running cybercrime campaign that has targeted banks around the world as a funding source for the North Korean regime. Assistant Attorney General John Demers said the North Korean government “has become a criminal syndicate with a flag, which harnesses its state resources to steal hundreds of millions of dollars.”
The U.S. charged Hyok with related crimes in 2018, but it’s highly unlikely that he or the other men charged Wednesday will ever be tried. The DPRK government does not generally cooperate with its U.S. counterparts and would have no interest in turning over three of its hackers to face prosecution. Aside from the Sony intrusion and the WannaCry 2.0 attack, the DoJ also alleges that the three men were responsible for an attack on the Bank of Bangladesh in 2016 in which $81 million was stolen. The two other men charged in the indictment are Jon Chang Hyok and Kim Il.
“This case is a particularly striking example of the growing alliance between officials within some national governments and highly sophisticated cyber-criminals,” said U.S. Secret Service Assistant Director Michael R. D’Ambrosio.
“The individuals indicted today committed a truly unprecedented range of financial and cyber-crimes: from ransomware attacks and phishing campaigns, to digital bank heists and sophisticated money laundering operations. With victims strewn across the globe, this case shows yet again that the challenge of cybercrime is, and will continue to be, a struggle that can only be won through partnerships, perseverance, and a relentless focus on holding criminals accountable.”
As part of the same investigation, a man named Ghaleb Alaumary, who has dual U.S. and Canadian citizenship has pleaded guilty to a charge of money laundering for helping the North Korean regime launder the funds allegedly stolen through the intrusions.
“He has admitted his role in these criminal schemes in a plea agreement, and he will be held to account for his conduct. This prosecution demonstrates the commitment of the Department to ensuring that those who conspire with the DPRK hackers will face justice,” Demers said.
One of the tactics employed by the attackers in this case is the use of malware that’s designed to look like cryptocurrency trading platforms. The malware, known as Apple Jeus, has beeen in use for several years and there are a number of different versions. The Cybersecurity and Infrastructure Security Agency on Wednesday released an analysis of the malware.
“These cyber actors have targeted organizations for cryptocurrency theft in over 30 countries during the past year alone. It is likely that these actors view modified cryptocurrency trading applications as a means to circumvent international sanctions on North Korea—the applications enable them to gain entry into companies that conduct cryptocurrency transactions and steal cryptocurrency from victim accounts,” the advisory says.
The indictments come at a time when the U.S. federal government and many private enterprises are facing high levels of attack activity from state-backed actors. The ongoing investigation into the SolarWinds compromise has revealed that nine federal agencies and about 100 enterprises were affected by the attack. Anne Neuberger, deputy national security adviser for cyber and emerging technology, said Wednesday that the government’s investigation will be ongoing for some time to come and the full scope of that compromise is still not known.
“We’re estimating several months for the investigation. We know we don’t have years,” she said during a press briefing at the White House.
In his remarks, the DoJ’s Demers said the government will continue to pursue charges against foreign hackers.
“The Department’s criminal charges are uniquely credible forms of attribution — we can prove these allegations beyond a reasonable doubt using only unclassified, admissible evidence. And they are the only way in which the Department speaks. If the choice here is between remaining silent while we at the Department watch nations engage in malicious, norms-violating cyber activity, or charges these cases, the choice is obvious — we will charge them,” he said.