North Korean hackers are ‘the world’s leading bank robbers,’ U.S. charges
Federal prosecutors on Wednesday announced charges against three North Korean government hackers accused of participating in a wide range of cyberattacks, including the destructive 2014 assault on Sony Pictures Entertainment hack, the global WannaCry ransomware attack in 2017 and a range of digital bank heists.
The three men — Jon Chang Hyok, Kim Il and Park Jin Hyok — worked for North Korea’s Reconnaissance General Bureau, whose aggressive cyber teams are known by security researchers as the Lazarus Group or APT 38, the Justice Department said.
The newly unsealed indictment, building on earlier charges against Park for his alleged role in Pyongyang’s cyberattacks, adds new information about multiple criminal schemes, including a series of breaches of banks targeting more than $1.2 billion; infections of ATMs with malware that allowed unlimited withdrawals; digital extortion schemes using ransomware; and the development and distribution of fake, malware-laden cryptocurrency apps that opened backdoors into victims’ computer networks.
It also incorporates earlier allegations about North Korea’s role in the massive Sony hack, which allegedly retaliated for the studio’s release of a satirical film about leader Kim Jong Un, and the WannaCry ransomware outbreak, which infected networks in 150 countries and may have caused as much as $4 billion in losses.
“North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading 21st century nation-state bank robbers,” John Demers, the assistant attorney general for national security, told reporters during a press call.
In a second announcement on Wednesday, the U.S. charged a Canadian man, Ghaleb Alaumary, with helping North Korea launder money stolen through criminal schemes such as those contained in the new indictment. Alaumary, who already faces separate cybercrime charges in Georgia, is in U.S. custody and has pleaded guilty to the newly announced charges.
According to the North Korean indictment, from 2015 to 2019, the three hackers and their co-conspirators tried to steal money from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta and elsewhere by hacking into their networks and generating fraudulent transfers through a global financial platform. One of these intrusions, into the Bank of Bangladesh, netted them a record $81 million.
The hackers also stole approximately $112 million from cryptocurrency companies after infecting them with malware by tricking them into downloading fake trading applications, prosecutors alleged. On Wednesday, the FBI, the Treasury Department and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released a technical report about those applications.
“In most instances, the malicious application — seen on both Windows and Mac operating systems — appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate,” the agencies said.
Prosecutors have obtained warrants to seize and return $1.8 million of the stolen cryptocurrency to a New York financial services firm, which they did not identify.
The hackers also ran a separate cryptocurrency scam, dubbed “Marine Chain,” in which they tricked investors into purchasing ownership stakes in various marine vessels, with the proceeds eventually making their way to North Korea.
North Korean’s cyber army “has followed the money and turned its revenue-generation sights on the most cutting-edge aspects of international finance,” Demers said.
The bank hacks and cryptocurrency thefts, combined with the ATM “cash-out” schemes and the ransomware extortion attempts, paint a vivid picture of Pyongyang’s sprawling and aggressive cybercrime operation, one of the few ways that the increasingly isolated regime has been able to finance its activities.
Demers said North Korea had “become a criminal syndicate with a flag, which harnesses its state resources to steal hundreds of millions of dollars.”
Officials did not say how much money North Korea had successfully stolen during all of the charged operations.
The indictment also alleges that the hackers sent so-called spearphishing emails, which contain or link to malware, to a wide range of U.S. companies and agencies, including defense contractors, energy and aerospace firms, the State Department and the Pentagon.
The charges offer a reminder of the destructive potential of cyberattacks such as WannaCry, which locked up computers around the world in May 2017 and raised fears of new real-world consequences from digital mayhem.
“This case is the perfect example of the destruction that can be caused by a cyberattack and the grave threat these attacks pose to our national security,” said Kristi Johnson, the assistant director in charge of the FBI’s Los Angeles field office.
It is also a reminder that some foreign governments are increasingly turning to their domestic criminal communities for help in cyberspace, often in an attempt to obscure their guiding hand.
“We continue to see a confluence of state and non-state actors in cybercrime. … These distinctions have really blurred,” said Jesse Baker, the special agent in charge of the Secret Service’s Los Angeles office.
The indictment also alleges another disturbing dynamic: cooperation among the United States' main adversaries in cyberspace. The North Korean hackers occasionally worked out of China and Russia, according to the government.
Beijing and Moscow surely knew that Pyongyang was sending its cyber operatives into their territory, Demers said. “Due to the authoritarian, totalitarian nature of those countries, there's very little of significance that goes on without those governments knowing about it.”
“The time is beyond ripe,” he added, “for Russia and China, as well as any other country whose entities or nationals play a role in the [North Korean] revenue-generation efforts, to take action.”
