Andy Dean - Fotolia
The Department of Justice unsealed indictments against three North Korean hackers accused of stealing more than one billion in cryptocurrency, but that's just the tip of the iceberg.
In the announcement Wednesday, the DOJ tied the hackers to the same state-sponsored group behind two of the most significant cyber attacks to date: the Sony Pictures hack and the infamous WannaCry ransomware attacks. The charges against the three operatives, Jon Chang Hyok, Kim Il and Park Jin Hyok, include thefts and extortion schemes that targeted both traditional currencies and cryptocurrencies from banks on four continents. The DOJ said all three individuals were members of hacking groups within the Reconnaissance General Bureau, a military intelligence agency of the Democratic People's Republic of Korea (DPRK). The DPRK-sponsored groups are commonly known in the infosec community as Lazarus Group or APT38.
"The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering," Acting U.S. Attorney Tracy Wilkison for the Central District of California said.
The new charges unsealed today follow a previous indictment in 2018 against Park Jin Hyok in the Sony and WannaCry attacks. According to the announcement, the North Korean programmer, Park Jin Hyok, charged in 2018, conspired to conduct some of the "most damaging cyberattacks ever." Those include the hack-and-dump attack against Sony Pictures Entertainment in 2014, a cyber heist of $81 million from the Bank of Bangladesh and the global WannaCry ransomware attacks in 2017.
Further investigation revealed two other co-conspirators, Jon Chang Hyok and Kim Il, and more charges, including the bank and cryptocurrency heists that stole more $1.2 billion.
Additionally, the DOJ said it has obtained custody over a dual U.S./Canadian national who is accused of organizing the laundering of millions of dollars stolen by the North Korean state-sponsored hackers. Cryptocurrency laundering has become a commonly used tactic by cybercriminals and nation-state hackers to hide the proceeds of their attacks and elude law enforcement.
"He has admitted his role in these criminal schemes in a plea agreement, and he will be held to account for his conduct," Assistant Attorney General John Demers wrote. "The Department was also able to seize and expects to ultimately return almost $2 million stolen by the Democratic People's Republic of Korea (DPRK) hackers from a New York-based financial services company."
Initially, the Sony hack was triggered by a conflict over a 2014 comedy called The Interview, which was set in North Korea. A group calling themselves the Guardians of Peace claimed to have stolen over 100 TB of confidential data from the company. Sony's internal network was breached, and a message was sent out to employees. "We've already warned you. This is just the beginning. We continue til our request be met. We've obtained all your internet data including your secrets and top secret files. If you don't obey us, we'll release data shown below to the world."
The threat actors later released confidential data, including private emails, and also threatened terrorist attacks against movie theaters that showed The Interview. The film was pulled from theaters as a result.
In 2017, WannaCry ransomware spread across computer networks, impacting several high-profile and important systems. The ransomware used an exploit developed by the National Security Agency known as EternalBlue, which exploited a vulnerability in Microsoft's Server Message Block protocol in Windows operating systems. During the initial wave of attacks, security experts advised victims not to pay after reports emerged of organizations failing to receive decryptors for their data. It remains one of the worst attacks in cyber history.