These North Korean hackers stole over $1.3 billion, US authorities say

They created and marketed a fake cryptocurrency that ostensibly let investors buy fractional ownership interests in marine shipping vessels; they infected banks’ switch application servers gaining access to where networks handle ATM transactions, stealing millions from cash machines in over 30 countries; they hacked Sony Pictures Entertainment; they launched an audacious attempt to steal $1.2 billion by sending fraudulent SWIFT messages; and they hacked scores of cryptocurrency companies, stealing over $100 million. They even breached the website of the Polish Financial Supervision Authority, turning it into a "watering hole". Reprehensible, but also impressively global and technically adept for the otherwise hermetically sealed rogue state of North Korea; a country that has just two routes on to the internet; a brace of Chinese and Russian fibre optic cables.

The cases above were all named in a hacking indictment filed in the U.S. District Court in Los Angeles and unsealed by the Department of Justice on Wednesday February 17. The case alleges that Jon Chang Hyok, 31; Kim Il, 27; and Park Jin Hyok, 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK), known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38).

They helped steal or extort a colossal $1.3+ billion, prosecutors said.

"North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John C. Demers of the Justice Department, adding "the Department will continue to confront malicious nation state cyber activity with our unique tools and work with our fellow agencies and the family of norms abiding nations to do the same.”

North Korean hackers indicted

North Korea has (like most nation states engaging in offensive online campaigns, or cybercrime) stationed teams to conduct the work overseas, which helps muddy the waters for investigators trying to attribute attacks to specific actors. The three defendants were no exception, US officials said in the indictment, and "were at times stationed by the North Korean government in other countries, including China and Russia".

The North Koreans used a Canadian asset to help launder the money. Ghaleb Alaumary, 37, based in Ontario, has agreed to plead guilty to a charge of money laundering. Alaumary was a "prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes" the DoJ said, organising teams throughout the US and Canada to launder "millions of dollars obtained through ATM cash-out operations, including from BankIslami and a bank in India in 2018.

Alaumary also conspired with Ramon Olorunwa Abbas, aka “Ray Hushpuppi,” and others to launder funds from a North Korean-perpetrated cyber-enabled heist from a Maltese bank in February 2019.

With Alaumary pleading guilty to charges filed on November 17, 2020 and the North Korean trio charged later, it seems likely that investigators used access to the money launderer to help underpin their investigations.

Several US government agencies including the Treasury, FBI, and cybersecurity agency CISA simultaneously released a Joint Cybersecurity Advisory and seven Malware Analysis Reports (MARs) on the North Korean government’s dissemination of malware used to steal cryptocurrency. (The advisories can be accessed below).

north korean hackers indicted — Alleged DPRK hacker Jon Chang Hyok.

It is likely that the North Korean hackers and their superiors view modified cryptocurrency trading applications as a means to circumvent sanctions, the FBI said. (The country also smuggles gold from his prolific gold mines, sells arms, and trades drugs to raise foreign currency).

Among their techniques, the North Korean hackers trojanised legitimate cryptocurrency trading applications to create and disseminate their own application. They then used this compromised application to deliver a Remote Administration Tool (RAT) to victim companies, the agencies said in their joint threat alert.

There were various takes on this technique, but all seven forms of the malware were bundled with modified copies of legitimate cryptocurrency applications and can be used as originally designed to trade cryptocurrency, the US agencies said. Both Celas LLC and JMT Trader [two of the trojanised applications] modified the same [legitimate] cryptocurrency application, Q.T. Bitcoin Trader; Union Crypto Trader modified the Blackbird Bitcoin Arbitrage application. The US agencies warned that cryptocurrency users should:

"Verify source of cryptocurrency-related applications.
"Use multiple wallets for key storage, striking the appropriate risk balance between hot and cold storage.
"Use custodial accounts with multi-factor authentication mechanisms for both user and device verification.
"Patronize cryptocurrency service businesses that offer indemnity protections for lost or stolen cryptocurrency.
"Consider having a dedicated device for cryptocurrency management.

The indictment comes as western law enforcement agencies aim to increasingly publicly indict cybercriminals, often including details in the indictments that hint tellingly at aggressive surveillance measures. Among those targeted in recent years have been the kingpin of the "Evil Corp." cybercrime syndicate, 32-year-old Maksim Yakubets (who drives a Lamborghini around Moscow with a number plate that reads “Thief”)

Among other recent law enforcement campaigns against cybercriminals, authorities worldwide in January 2021 disrupted one of most significant botnets of the past decade: EMOTET, taking control of its infrastructure in an international coordinated action that involved authorities in the Netherlands, Germany, the United States, the United Kingdom, France, Lithuania, Canada and Ukraine, coordinated by Europol and Eurojust.

Arguably curiously, the North Korean hackers appear to have some footprint in the UK; in February 2019 after hacking the Maltese Bank’s computer network at an earlier date, transferring $6.4 million and €7.1 million to bank accounts in Hong Kong, the United Kingdom, the United States, and the Czech Republic", the prosecutors said. The full list of the incidents they are being indicted for, along with their tactics, can be found here.