The Justice Department on Wednesday unveiled charges against three North Korean hackers who are alleged to have tried to steal as much as $1.3 billion from banks, individuals and cryptocurrency organizations around the world during the past four years.
The three individuals — Jon Chang Hyok, Kim Il and Park Jin Hyok — are part of North Korea’s military intelligence agency called the Reconnaissance General Bureau headquartered in Pyongyang, according to the indictment. The intelligence unit has also been identified by cybersecurity researchers as the Lazarus Group, or advanced persistent threat 38 — APT38 — the Justice Department said.
The same group of hackers also were behind the attack on Sony Pictures in November 2014 and U.S. movie theater chains after the entertainment company produced a movie called “The Interview,” which lampooned North Korean ruler Kim Jong Un, the Justice Department said. The indictment listed 45 “overt acts” of cyberattacks, including spear phishing email assaults, attacks on bank ATMs, cryptocurrency heists, extortions and ransomware.
North Korea’s economy has for decades suffered from global economic sanctions imposed because of the country’s pursuit of nuclear weapons, and the country uses cyberattacks as a way to steal money from around the world to keep the regime going, John Demers, a U.S. assistant attorney general, said at a news conference.
Unlike China, Russia, and Iran, which use cyberattacks to further their foreign policy goals, or disrupt western democracies and steal technologies, North Korean hackers are “very focused on currency” theft, Demers said.
“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading 21st century nation-state bank robbers,” Demers said.
The indictment “describes in stark detail how the [North Korea] cyber threat has followed the money and turned its revenue generation sights on the most cutting edge aspects of international finance, including through the theft of cryptocurrency from exchanges and other financial institutions, in some cases through the creation and deployment of cryptocurrency applications with hidden backdoors,” Demers said.
While the hackers operated mostly from Pyongyang, they also are alleged to have carried out their cyberattacks at times from China and Russia, the Justice Department said. China and Russia, in addition to carrying out their own cyberattacks, are providing “safe harbor for cyber criminals or in this case other nation-state hackers to act,” Demers said.
The indictment outlines eight different cases of the North Korean hackers targeting banks around the world, including those in the Philippines, Poland, Vietnam, South Korea, Malta, an unnamed African country and Bangladesh. In the case of Bangladesh, the hackers are said to have made off with about $81 million.
The Justice Department also announced that it had arrested Ghaleb Alaumary, a U.S.-Canadian dual citizen who’s alleged to have helped North Korea launder its stolen money.
The indictment describes five major extortion and ransomware attacks carried out by the hackers including WannaCry, a devastating attack in May 2017 that froze the computers at hundreds of hospitals around the world.
The North Korean hackers also are said to have staged at least 18 different attacks on cryptocurrency by developing and unleashing malware specifically designed to attack those platforms.
The indictment also mentioned five cases in which the hackers targeted cryptocurrency companies in Slovenia, Indonesia and New York, stealing about $112 million.
The indictment listed four spear phishing campaigns targeting U.S. defense contractors, State Department officials, the Pentagon and top U.S. technology companies.
Separately, the Cybersecurity and Infrastructure Security Agency, the FBI and the Treasury Department issued an advisory about a North Korean malware known as “AppleJeus” that has been “posing as a cryptocurrency trading platform since at least 2018.”
The agencies said the malware, designed for both Windows and Mac operating systems, “appears to be from a legitimate trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate.”
The advisory offered technical details of the malware and steps to remove it from computers.