This week, the U.S. Department of Justice announced that three North Korean intelligence officials have been indicted for their role in a slew of destructive cyberattacks on U.S. and global organizations spanning many years. The cyberattacks allowed the hackers to steal and extort more than $1.3 billion in money and cryptocurrencies from companies and financial institutions around the world.
The three individuals are alleged members of North Korea’s Reconnaissance General Bureau (RGB), a criminal hacking group known by many names by the cybersecurity community, most commonly the Lazarus Group and APT38.
Jon Chang Hyok, 31, Kim Il, 27, and Park Jin Hyok, 36, are believed to currently reside in North Korea where they are beyond the reach of U.S. law enforcement, although the individuals have previously been based overseas in countries including China and Russia. The hackers are alleged to have conducted a broad range of criminal cyber activities in the United States and other countries for financial gain and revenge, including the cyberattack on Sony Pictures in 2014 and the global WannaCry ransomware attacks in 2017. Park was previously charged for his role in the WannaCry ransomware attacks, the attack on Sony Pictures, and a SWIFT attack on a Bangladeshi bank, with the latest indictment expanding the charges against him.
The three hackers have been charged with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud, which together carry a maximum sentence of 35 years.
“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John C. Demers of the National Security Division of the U.S Department of Justice.
The DOJ indictment alleges the group conducted a wide range of criminal activity, including the creation and deployment of multiple malicious cryptocurrency applications which gave them a backdoor into computers, as well as spear phishing campaigns on defense contractors, aerospace companies, energy companies, and the U.S. Department of State and Department of Defense.
The hackers are alleged to have conducted cyberattacks on online banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa, involving sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages. The attacks allowed them to steal more than $1.2 billion. The Lazarus group has also targeted cryptocurrency exchanges, which allowed them to steal $75 million from one Slovenian cryptocurrency company in December 2017 and $24.9 million from an Indonesian cryptocurrency company in 2018.
The hackers are believed to have played a key role in the development and marketing of the Marine Chain Token, a blockchain-based maritime investment marketplace that allowed investors to purchase fractional ownership interests in marine shipping vessels, which allowed the North Korean regime to obtain funds from investors and control interests in marine shipping vessels.
“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” said Acting U.S. Attorney Tracy L. Wilkison for the Central District of California. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”
In addition to the latest indictment, the DOJ unsealed a charge against a Canadian American individual – Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada – who recently pleaded guilty to one count of conspiracy to commit money laundering. Alaumary was a prolific money launderer for the Lazarus group with his activities including ATM cash-out operations, and laundering money from cyber bank heists and business email compromise (BEC) scams. Alaumary faces a maximum jail term of 20 years.