US DoJ charges three members of the North Korea-linked Lazarus APT group

US DoJ charges three members of the North Korea-linked Lazarus APT group

The US DOJ charged three members of the North Korea-linked Lazarus Advanced Persistent Threat (APT) group.

The U.S. Justice Department indicted three North Korean military intelligence officials, members of the Lazarus APT group, for their involvement in cyber-attacks, including the theft of $1.3 billion in money and crypto-currency from organizations around the globe.

The indictment unsealed today charges two North Korean officials, Jon Chang Hyok (31), and Kim Il (27), and expands the charges initially brought against Park Jin-hyok in 2018 by the DoJ.

In 2018, the U.S. Department of Justice charged Park over WannaCry and 2014 Sony Pictures Entertainment Hack.

Lazarus APT indictment

“A federal indictment unsealed today charges three North Korean computer programmers with participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform.” reads the press release published by the DoJ.

The officials are accused to have conducted multiple hacking campaigns against organizations in the United States and abroad, including:

  • Cyberattacks on the Entertainment Industry: The cyberattack on Sony Pictures Entertainment in November 2014 was conducted in retaliation for “The Interview” movie, a fiction on the assassination of the DPRK’s leader. Other attacks included the hack of AMC Theatres in December 2014 and the 2015 intrusion into Mammoth Screen.
  • Cyber-Enabled Heists from Banks: from 2015 through 2019 the APT group attempted to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa.
  • Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes – referred to by the U.S. government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
  • Ransomware and Cyber-Enabled Extortion: The APT group created the WannaCry 2.0 ransomware in May 2017, and carried out extortion and attempted extortion from 2017 through 2020. Threat actors attempted to blackmail victims after stealing sensitive data and deploying ment of other ransomware.
  • Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 which would provide the North Korean hackers a backdoor into the victims’ computers.
  • Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency.
  • Spear-phishing campaigns targeting US defense contractors, energy companies, aerospace companies, technology companies, the United States Department of State, and the United States Department of Defense.
  • Creating a fake cryptocurrency company and releasing the Marine Chain Token. The scheme enabled investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.

Assistant Attorney General John Demers defined the three hackers and the Lazarus Group as “the world’s leading bank robbers” and “a criminal syndicate with a flag.”

The DOJ also charged a Canadian national named Ghaleb Alaumary for helping the Lazarus Group in money laundering the illegal funds obtained through its activities.

“Federal prosecutors today also unsealed a charge against Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada, for his role as a money launderer for the North Korean conspiracy, among other criminal schemes. Alaumary agreed to plead guilty to the charge, which was filed in the U.S. District Court in Los Angeles on Nov. 17, 2020.” continues the press release.

“Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes.”

The man operated a network of money launderers in the US and Canada that relayed the illegal funds to other accounts under the control of North Korean hackers.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)




Leave a Reply

Your email address will not be published. Required fields are marked *