U.S. Authorities Take Sweeping Actions Against North Korean Hacking Operations

Several U.S. federal agencies on Wednesday released a batch of indictments, cybersecurity advisories, and malware analysis reports that represents one of the most expansive cybersecurity-related actions against North Korea in years.

The U.S. Justice Department unsealed charges against three North Korean hackers who are accused of stealing and extorting more than $1.3 billion of money and cryptocurrency from financial institutions around the globe. It’s the first indictment related to North Korean hacking operations since 2018, according to an analysis by The Record.

The defendants—Jon Chang Hyok, Kim Il, and Park Jin Hyok, who was also charged in 2018 in connection with the 2014 attack against Sony Pictures—are alleged to have participated in a broad array of hacking schemes while they served as members of North Korea’s Reconnaissance General Bureau. This includes attempts from 2015 to 2019 to steal more than $1.2 billion from banks in Bangladesh, Mexico, Vietnam, Taiwan, and elsewhere, and creating the destructive WannaCry ransomware in May 2017.

They also targeted “hundreds of cryptocurrency companies” and stole tens of millions of dollars worth of cryptocurrency, including $75 million from a Slovenian firm in 2017, $24.9 million from an Indonesian firm in 2018, and $11.8 million from a New York financial services company in 2020, prosecutors said. They are also alleged to have launched multiple spearphishing campaigns from March 2016 to February 2020 aimed at the U.S. Department of Defense and the U.S. Department of State, as well as defense contractors, energy companies, aerospace firms, and technology businesses.

The Justice Department also announced on Wednesday that a Canadian-American citizen pleaded guilty to acting as a “high-level money launderer” for North Korean hackers, including ATM cash-out operations and a cyber-enabled bank heist.

The charges provide detail to what the government has warned of for years: that North Korea, increasingly cut off from global markets and subject to sanctions, is turning to cybercrime as a key revenue source. Ransomware attacks demanding cryptocurrency payments can be difficult to trace, and the Treasury Department has taken steps to caution companies against paying demands if they can be linked to North Korea or other sanctioned jurisdictions.

In 2019, the U.S. Department of the Treasury’s Office of Foreign Assets Control announced sanctions targeting three North Korean state-sponsored malicious cyber groups—Lazarus Group, Bluenoroff, and Andariel—based on their relationship to the Reconnaissance General Bureau and their roles in using malicious cyber activity to target critical infrastructure. Last October, OFAC and the Financial Crimes Enforcement Network, another Treasury unit, issued a pair of ransomware advisories warning of potential sanctions risks for making and facilitating payments to designated entities.

“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” Assistant Attorney General John Demers of the DoJ’s National Security Division said. “The Department will continue to confront malicious nation state cyber activity with our unique tools and work with fellow agencies and the family of norms abiding nations to do the same.”

Cybersecurity Advisories

Shortly before the charges were unsealed, the Federal Bureau of Investigation, Department of the Treasury, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released a joint cybersecurity advisory warning that North Korea’s Lazarus Group targeted organizations for cryptocurrency theft in over 30 countries during the past year alone.

According to the alert, the advanced persistent threat group carries out these attacks by disseminating cryptocurrency trading applications that have been modified to include malware that allows them to steal funds.

Authorities identified malware and indicators of compromise related to the activity, which is referred to as “AppleJeus.” According to the advisory, North Korea has used websites that appeared to host legitimate cryptocurrency trading platforms to infect victims with AppleJeus malware since at least 2018. However, the actors are now using other infection vectors, including phishing and social engineering techniques, to get users to download the malware.

Technical details and mitigations can be found here and here.

The full indictment can be found below:

North Korea Hacking Indictment by Adam Janofsky