Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/17/2021
06:05 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Unseals Indictments Against North Korean Cyberattackers for Thefts Totaling $1.3B

FBI, CISA, and Treasury Department also release details about North Korean malware used in cryptocurrency thefts since 2018.

The US government today unsealed indictments against three members of North Korea's military intelligence agency, Reconnaissance General Bureau (RGB), for their alleged role in numerous cyberattacks in recent years that resulted in the theft of more than $1.3 billion from organizations worldwide.

Simultaneously, the FBI, the Treasury Department, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) also released malware details and indicators of compromise (IoC) associated with a North Korea-backed campaign called "AppleJeus," which has been targeting organizations conducting cryptocurrency transactions since 2018. In an alert, the three organizations released details on seven AppleJeus variants that have been released since the malware was first uncovered.

Related Content:

Why North Korea Excels in Cybercrime

Special Report: Understanding Your Cyber Attackers

New From The Edge: Breach Etiquette: How to Mind Your Manners When It Matters

The actions represent the US government's continuing efforts to track down and deter what many perceive as attempts by the sanctions-crippled North Korean government to, among other things, finance its nuclear and ballistic missile initiatives through cyberattacks. Earlier this month, for instance, a panel of experts monitoring North Korean activities, submitted a report to the U.N. Security Council that warns of cyber actors from the country attacking financial companies and cryptocurrency exchanges to generate money for modernizing its nuclear program.

"We continue to shine a light on the global campaign of criminality being waged by the DPRK," said assistant attorney general John Demers in a prepared statement. "Nation-state indictments like this are an important step in identifying the problem, calling it out in a legally rigorous format, and building international consensus."

One of the individuals identified in the indictments that were unsealed today — Park Jin Hyok, 36 — was also previously charged in 2018 for his alleged participation in numerous cyberattacks. They include the 2014 attack on Sony, the WannaCry ransomware attacks of 2017, and the theft of $81 million from the Bangladesh Bank in 2016.

Today's indictment expands on those charges and identifies two other individuals — Jon Chang Hyok, 31, and Kim Il, 27 — from RGB who allegedly worked with Park on these and numerous other campaigns. A statement announcing the charges associated the three individuals with a broad array of criminal cyber activity, including attacks on the entertainment industry and attempts to steal more than $1.2 billion via attacks on banks in Vietnam, Bangladesh, Taiwan, and other countries. Other alleged activities, spanning multiple years, include so-called ATM cash-out attacks, ransomware attacks, the creation and distribution of malicious cryptocurrency apps and cryptocurrency theft.

All three individuals were identified as members of an RGB unit that the cybersecurity industry has long been tracking as the Lazarus Group, APT38, Stardust Chollima, and other names.

Also unsealed today were details of a separate criminal case against a Canadian American citizen who has agreed to plead guilty to a massive money-laundering scheme on behalf of North Korea-based cyberthreat actors. The Department of Justice (DoJ) described Ghaleb Alaumary, 37, of Canada as laundering money that North Korean threat actors illegally obtained through ATM cash-out schemes, bank heists, business email compromise campaigns, and other attacks.

"What people may find surprising about the details in the indictments is that the core motivation is financial and the extent of activities was far-reaching – spanning numerous methods, including ransomware and direct theft targeting," says Rusty Carter, chief product officer at LogRhythm. "This was not just targeting government or large financial entities, but individuals as well, via malicious end-user consumer applications."

A China and Russia Link?
According to the DoJ, at least some of the malicious activities the three individuals are accused of participating in occurred while they were stationed as RGB operatives in China, Russia, and other countries. The DoJ statement offers no indication whether the US believes that threat groups from either country collaborated with the North Korean operatives on these attacks.

However, security vendors and threat intelligence firms that have been tracking North Korean threat activities have previously noted such a connection. Last September, for instance, threat intelligence firm Intel 471 examined data from multiple public and open sources and concluded that North Korean threat actors were likely active in underground markets and maintained relationships with top Russian-speaking criminal cybergroups such as TA505. The firm found that malware written and meant to be used by North Korean actors was likely being delivered via network infrastructure belonging to Russian cybercriminals.

"The cybercriminal underground provides the North Koreans with various tools, compromised system accesses, and datasets to commit cybercrimes," says Mark Arena, CEO at Intel 471.

In specific instances mentioned in last year's report, Russian-speaking cybercriminals provided North Korean threat actors with access to financial institutions, Arena says.

"Performing follow-up intrusion activity within financial institutions is a complex task that North Korean threat actors have been successfully doing for a number of years," he says.

That's the reason why Russian-speaking cybercriminals leverage North Korean threat actors to carry out this activity, Arena adds.

"It's likely that the criminal proceeds of this activity would be shared between the Russian-speaking cybercriminals and the North Korean threat actors performing this activity," he says.

Others, including NTT Security and SentineOne, have pointed to a potential collaboration between the Lazarus Group and Russia-based threat actors after spotting the former use an attack toolset developed by the latter to break into targeted networks.

Meanwhile, the details released today by the FBI, CISA, and Treasury Department about AppleJeus pertain to a North Korean campaign to steal cryptocurrency from exchanges and financial institutions.

As part of the campaign, the Lazarus Group is believed to have developed and distributed seemingly legitimate cryptocurrency trading apps that contained malware for stealing cryptocurrency. The malware is designed to attack both Windows and Mac platforms and was typically planted on a site that appeared to belong to a legitimate cryptocurrency trading company, the FBI and the others said.

In addition, the threat actors also distributed the malware via phishing and other social engineering tricks. Organizations in multiple industries have been targeted in the campaign, including government, finance, energy, technology, and telecommunications. Victims have included organizations in the United States and more than two dozen other countries, such as Canada, China, Germany, India, Italy, and Japan.

The technical details released today about AppleJeus cover versions of the malware from the first one, hidden in a Trojanized cryptocurrency app called Celas Trade Pro, to version 7 of the malware called "Ants2Whale," which was released in September 2020.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-19924
PUBLISHED: 2021-05-18
In Boostnote 0.12.1, exporting to PDF contains opportunities for XSS attacks.
CVE-2020-20220
PUBLISHED: 2021-05-18
Mikrotik RouterOs prior to stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/bfd process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).
CVE-2020-20227
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.47 suffers from a memory corruption vulnerability in the /nova/bin/diskd process. An authenticated remote attacker can cause a Denial of Service due to invalid memory access.
CVE-2020-20245
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the log process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.
CVE-2020-20246
PUBLISHED: 2021-05-18
Mikrotik RouterOs stable 6.46.3 suffers from a memory corruption vulnerability in the mactel process. An authenticated remote attacker can cause a Denial of Service due to improper memory access.