On February 17th, the US Department of Justice announced criminal charges against three North Korean (DPRK) government-backed hackers for thefts of cryptocurrency and funds from banks totaling around $1.3 billion USD. The hackers, Jon Chang Hyok, Kim Il, and Park Jin Hyok, were indicted for multiple hacking events, including the following:
- Cyberattacks on AMC theatres and Mammoth Screen, following unfavorable entertainment media created regarding DPRK
- Cyber-enabled bank heists totaling more than $1.2 billion USD
- Cyber-enabled ATM cash-outs totaling $6.1 million USD
The UN has estimated that DPRK backed attackers have generated as much as $2 billion USD from at least 35 cyberattacks targeting banks and cryptocurrency exchanges.
Another indictment unsealed by the Department of Justice charged Ghaleb Alaumary, a 37 year old man from Canada, with helping the DPRK to launder stolen funds using a network of criminal actors to facilitate ATM cash-out operations. Unlike the three North Korean defendants, Alaumary is in the custody of US officials and has agreed to plead guilty to charges.
Finally, the FBI and DHS CISA have released technical details about the malware and computer server infrastructure used by the DPRK in an alert to private industry security professionals. The malware is referred to as “AppleJeus” and has been used for several years with different versions released over time.
Analyst Notes
: It is extremely unlikely that the North Korean defendants will face criminal justice in the US, but the DOJ statement acknowledged this and said that the purpose of unsealing the indictment is to provide proof beyond a reasonable doubt to other countries that can put pressure on North Korea to stop supporting these attacks against banks and the global financial system. The DPRK hackers had help from other individuals in China and Russia who laundered stolen funds, but have not faced criminal prosecution in those countries yet. One of the methods leveraged by the DPRK hackers involved creating and distributing malicious cryptocurrency applications in order to gain access to victim’s computers. Binary Defense recommends only installing cryptocurrency applications from trustworthy sources. Additionally, Binary Defense recommends employing a 24/7 SOC solution, such as Binary Defense’s own Security Operations Task Force in order to monitor for activity that might be indicative of an intrusion.
Sources:
https://www.justice.gov/opa/pr/assistant-attorney-general-john-c-demers-delivers-remarks-national-security-cyber
https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
https://us-cert.cisa.gov/ncas/alerts/aa21-048a
https://www.bleepingcomputer.com/news/security/us-indicts-north-korean-hackers-for-stealing-13-billion/
