APT

US DoJ charges three members of the North Korea-linked Lazarus APT group

The US DOJ charged three members of the North Korea-linked Lazarus Advanced Persistent Threat (APT) group.

The U.S. Justice Department indicted three North Korean military intelligence officials, members of the Lazarus APT group, for their involvement in cyber-attacks, including the theft of $1.3 billion in money and crypto-currency from organizations around the globe.

The indictment unsealed today charges two North Korean officials, Jon Chang Hyok (31), and Kim Il (27), and expands the charges initially brought against Park Jin-hyok in 2018 by the DoJ.

In 2018, the U.S. Department of Justice charged Park over WannaCry and 2014 Sony Pictures Entertainment Hack.

“A federal indictment unsealed today charges three North Korean computer programmers with participating in a wide-ranging criminal conspiracy to conduct a series of destructive cyberattacks, to steal and extort more than $1.3 billion of money and cryptocurrency from financial institutions and companies, to create and deploy multiple malicious cryptocurrency applications, and to develop and fraudulently market a blockchain platform.” reads the press release published by the DoJ.

The officials are accused to have conducted multiple hacking campaigns against organizations in the United States and abroad, including:

  • Cyberattacks on the Entertainment Industry: The cyberattack on Sony Pictures Entertainment in November 2014 was conducted in retaliation for “The Interview” movie, a fiction on the assassination of the DPRK’s leader. Other attacks included the hack of AMC Theatres in December 2014 and the 2015 intrusion into Mammoth Screen.
  • Cyber-Enabled Heists from Banks: from 2015 through 2019 the APT group attempted to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa.
  • Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes – referred to by the U.S. government as “FASTCash” – including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
  • Ransomware and Cyber-Enabled Extortion: The APT group created the WannaCry 2.0 ransomware in May 2017, and carried out extortion and attempted extortion from 2017 through 2020. Threat actors attempted to blackmail victims after stealing sensitive data and deploying ment of other ransomware.
  • Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 which would provide the North Korean hackers a backdoor into the victims’ computers.
  • Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars’ worth of cryptocurrency.
  • Spear-phishing campaigns targeting US defense contractors, energy companies, aerospace companies, technology companies, the United States Department of State, and the United States Department of Defense.
  • Creating a fake cryptocurrency company and releasing the Marine Chain Token. The scheme enabled investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.

Assistant Attorney General John Demers defined the three hackers and the Lazarus Group as “the world’s leading bank robbers” and “a criminal syndicate with a flag.”

The DOJ also charged a Canadian national named Ghaleb Alaumary for helping the Lazarus Group in money laundering the illegal funds obtained through its activities.

“Federal prosecutors today also unsealed a charge against Ghaleb Alaumary, 37, of Mississauga, Ontario, Canada, for his role as a money launderer for the North Korean conspiracy, among other criminal schemes. Alaumary agreed to plead guilty to the charge, which was filed in the U.S. District Court in Los Angeles on Nov. 17, 2020.” continues the press release.

“Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes.”

The man operated a network of money launderers in the US and Canada that relayed the illegal funds to other accounts under the control of North Korean hackers.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

EvilVideo, a Telegram Android zero-day allowed sending malicious APKs disguised as videos

EvilVideo is a zero-day in the Telegram App for Android that allowed attackers to send…

5 hours ago

SocGholish malware used to spread AsyncRAT malware

The JavaScript downloader SocGholish (aka FakeUpdates) is being used to deliver the AsyncRAT and the…

15 hours ago

UK police arrested a 17-year-old linked to the Scattered Spider gang

Law enforcement arrested a 17-year-old boy from Walsall, U.K., for suspected involvement in the Scattered…

19 hours ago

Security Affairs Malware Newsletter – Round 3

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

2 days ago

Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

2 days ago

U.S. CISA adds Adobe Commerce and Magento, SolarWinds Serv-U, and VMware vCenter Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe Commerce and Magento, SolarWinds Serv-U, and…

2 days ago

This website uses cookies.