WASHINGTON—Three North Korean hackers that were part of the hermit kingdom’s military intelligence unit have been charged with a major conspiracy to steal $1.2 billion globally.
The Department of Justice (DOJ) on Feb. 17 unsealed an indictment that adds to previous charges that included a November 2014 hack targeting Sony Pictures Entertainment over the comedy film “The Interview”; a February 2016 cyber-enabled heist of $81 million from the Bank of Bangladesh and other heists; and the May 2017 global WannaCry 2.0 attack.
Two North Koreans were added to the new indictment, which also expands the scope of the allegations to include schemes to steal hundreds of millions of dollars, according to Tracy Wilkison, acting U.S. attorney in Los Angeles.
“Some of these intrusions occurred as recently as a few months ago, using newly identified strains of malware uncovered by the FBI,” she said on a media call on Feb. 17.
Wilkison identified four new types of schemes employed by the hacking units, which are known as Lazarus Group, and Advanced Persistent Threat 38, but are part of the Reconnaissance General Bureau, a North Korean military intelligence agency.
The first is a series of alleged cyber heists targeting banks around the world, from which the hackers attempted to steal $1.2 billion.
“The hackers typically gained access to a bank computer network and sent secure messages through the Swift system that is used to transfer money between banks,” Wilkison said.
The second method was an alleged ATM cash-out scheme, in which the hackers used malware to take control of bank ATMs, allowing for limitless cash withdrawal.
“This scheme … allowed co conspirators to withdraw $6.1 million dollars from one bank alone,” Wilkison said.
Third, the indictment states that “the North Korean hackers engaged in cyber extortion, in which they would gain access to computer systems and then steal data or deploy ransomware that would demand payment.”
The fourth method allegedly involved the development and spread of malicious applications that were used to trade and store cryptocurrency, but instead gave the North Koreans a back door into computer systems.
One of those applications was used to steal $112 million from three companies, including a New York-based entity.
Marine Chain Token
The other major count in the indictment was a scheme that tricked investors into purchasing ownership interest in marine shipping vessels, such as cargo ships. In reality, the investors were providing both cash and a controlling interest in shipping vessels to the North Korean regime.
“It would have allowed them to obtain funds from abroad and skirt U.S. sanctions that were placed on the regime,” Wilkison said. “The scope of these crimes by the North Korean hackers is staggering. They are the crimes of a nation state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”
The three North Koreans—Jon Chang Hyok, Kim Il, and Park Jin Hyok—are considered fugitives from justice and are believed to be located in North Korea, according to the FBI.
John Demers, assistant attorney general of the DOJ’s National Security Division, said the hackers allegedly worked from inside China and Russia at times.
North Korea has also used Chinese cryptocurrency traders and other criminal networks to launder their funds, Demers said.
North Korean hackers are almost uniquely focused on raising funds through illegal cyber activity, he said.
“Their need as a country is for currency—because of their economic system and because of the sanctions that are placed on them. And so they use their cyber capabilities to get currency wherever they can do that.”
Actors in China, Russia, and Iran are after different aspects, such as intellectual property, export controls, technology, or disrupting elections, Demers said.
“Due to the authoritarian, totalitarian nature of those countries, there’s very little of significance that goes on there without those governments knowing about it.”
Related to the North Korean indictment is the criminal case against money launderer Ghaleb Alaumary, which the DOJ announced at the same time.
Alaumary, a U.S.–Canadian dual citizen, has agreed to plead guilty to conspiring to launder funds for the North Koreans from both the cyber heist and ATM cash-out schemes. He is currently in custody in Georgia.
“According to a plea agreement that was unsealed today, Alaumary conspired to steal and then launder tens of millions of dollars for the North Koreans and other criminals,” Wilkison said.
The FBI asked the public to contact their local FBI office if they’re a victim or witness to cybercrime. The agency also warned the general public to be wary of clicking links in emails and texts without close scrutiny.