The U.S.Department of Justice has charged three North Koreans for stealing $1.3 billion in money and cryptocurrency in attacks on banks, the entertainment industry, cryptocurrency companies, and more.
The defendants are state-sponsored North Korean hackers and members of Reconnaissance General Bureau (RGB) units, a North Korean military intelligence agency that has engaged in criminal hacking operations.
“These North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38),” the DOJ said .
According to DOJ, the three North Koreans have been “participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform.”
The US indicted Jon Chang Hyok (전창혁), Kim Il (김일), and Park Jin Hyok (박진혁), with Park previously indicted in September 2018 for being a part of a “wide-ranging, multi-year conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators working on behalf of the government of the Democratic People’s Republic of Korea.”
Far-reaching and wide-ranging hacking campaign The Lazarus Group (tracked by the US as HIDDEN COBRA) is known for targeting high-profile orgs such as Sony Pictures Entertainment and multiple banks worldwide .
Their hacking campaign allowed them to steal hundreds of millions of US dollars, for instance, getting away with roughly $140 million by breaching Bangladesh Bank [ 1 , 2 ], Banco de Chile , and the Far Eastern International Bank of Taiwan .
The North Korean-backed hackers were indicted for multiple hacking activities, including:
Cyberattacks on the Entertainment Industry : The destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for “The Interview,” a movie that depicted a fictional assassination of the DPRK’s leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.Cyber-Enabled Heists from Banks : Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.Cyber-Enabled ATM Cash-Out Thefts : Thefts through ATM cash-out schemes – referred to by the U.S.government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
Ransomware and Cyber-Enabled Extortion : Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.Creation and Deployment of Malicious Cryptocurrency Applications : Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 – including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale – which would provide the North Korean hackers a backdoor into the victims’ computers.Targeting of Cryptocurrency Companies and Theft of Cryptocurrency : Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
Spear-Phishing Campaigns : Multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the U.S.Department of State, and the U.S.Department of Defense.Marine Chain Token and Initial Coin Offering : Development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S.sanctions.The indictment alleges that the hacking group’s goal was to “further the strategic and financial interests of the DPRK government and its leader, Kim Jong Un” by causing damage, as well as stealing data and money from organizations all over the globe.
“The Department’s criminal charges are uniquely credible forms of attribution — we can prove these allegations beyond a reasonable doubt using only unclassified, admissible evidence,” Assistant Attorney General John C.Demers said.
“And they are the only way in which the Department speaks.”
UN estimates point at almost $2 billion in financial losses The United Nations estimated in 2019 that North Korea has generated as much as $2 billion from at least 35 cyberattacks targeting banks and cryptocurrency exchanges across over a dozen countries.
Another United Nations report from 2019 said that DPRK-backed hackers hitting Asian cryptocurrency exchanges between January 2017 and September 2018 were believed to be behind $571 million in financial losses.
“This revenue allows the North Korean regime to continue to invest in its illicit ballistic missile and nuclear programs,” the Justice Department said .
Also in 2019, the U.S.Treasury also sanctioned three North Korean hacking groups (Lazarus Group, Bluenoroff, and Andariel) engaged in funneling stolen financial assets to the North Korean government.
“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” Demers added.
“The Department will continue to confront malicious nation state cyber activity with our unique tools and work with our fellow agencies and the family of norms abiding nations to do the same.”
Related Articles: US shares info on North Korean malware used to steal cryptocurrency
Hacking group also used an IE zero-day against security researchers
North Korean state hackers breach COVID-19 research entities
Russian Sandworm hackers only hit orgs with old Centreon software
France links Russian Sandworm hackers to hosting provider attacks.
