The US government today unsealed indictments against three members of North Korea's military intelligence agency, Reconnaissance General Bureau (RGB), for their alleged role in numerous cyberattacks in recent years that resulted in the theft of more than $1.3 billion from organizations worldwide.
Simultaneously, the FBI, the Treasury Department, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) also released malware details and indicators of compromise (IoC) associated with a North Korea-backed campaign called "AppleJeus," which has been targeting organizations conducting cryptocurrency transactions since 2018. In an alert, the three organizations released details on seven AppleJeus variants that have been released since the malware was first uncovered.
The actions represent the US government's continuing efforts to track down and deter what many perceive as attempts by the sanctions-crippled North Korean government to, among other things, finance its nuclear and ballistic missile initiatives through cyberattacks. Earlier this month, for instance, a panel of experts monitoring North Korean activities, submitted a report to the U.N. Security Council that warns of cyber actors from the country attacking financial companies and cryptocurrency exchanges to generate money for modernizing its nuclear program.
"We continue to shine a light on the global campaign of criminality being waged by the DPRK," said assistant attorney general John Demers in a prepared statement. "Nation-state indictments like this are an important step in identifying the problem, calling it out in a legally rigorous format, and building international consensus."
One of the individuals identified in the indictments that were unsealed today — Park Jin Hyok, 36 — was also previously charged in 2018 for his alleged participation in numerous cyberattacks. They include the 2014 attack on Sony, the WannaCry ransomware attacks of 2017, and the theft of $81 million from the Bangladesh Bank in 2016.
Today's indictment expands on those charges and identifies two other individuals — Jon Chang Hyok, 31, and Kim Il, 27 — from RGB who allegedly worked with Park on these and numerous other campaigns. A statement announcing the charges associated the three individuals with a broad array of criminal cyber activity, including attacks on the entertainment industry and attempts to steal more than $1.2 billion via attacks on banks in Vietnam, Bangladesh, Taiwan, and other countries. Other alleged activities, spanning multiple years, include so-called ATM cash-out attacks, ransomware attacks, the creation and distribution of malicious cryptocurrency apps and cryptocurrency theft.
All three individuals were identified as members of an RGB unit that the cybersecurity industry has long been tracking as the Lazarus Group, APT38, Stardust Chollima, and other names.
Also unsealed today were details of a separate criminal case against a Canadian American citizen who has agreed to plead guilty to a massive money-laundering scheme on behalf of North Korea-based cyberthreat actors. The Department of Justice (DoJ) described Ghaleb Alaumary, 37, of Canada as laundering money that North Korean threat actors illegally obtained through ATM cash-out schemes, bank heists, business email compromise campaigns, and other attacks.
"What people may find surprising about the details in the indictments is that the core motivation is financial and the extent of activities was far-reaching – spanning numerous methods, including ransomware and direct theft targeting," says Rusty Carter, chief product officer at LogRhythm. "This was not just targeting government or large financial entities, but individuals as well, via malicious end-user consumer applications."
A China and Russia Link?
According to the DoJ, at least some of the malicious activities the three individuals are accused of participating in occurred while they were stationed as RGB operatives in China, Russia, and other countries. The DoJ statement offers no indication whether the US believes that threat groups from either country collaborated with the North Korean operatives on these attacks.
However, security vendors and threat intelligence firms that have been tracking North Korean threat activities have previously noted such a connection. Last September, for instance, threat intelligence firm Intel 471 examined data from multiple public and open sources and concluded that North Korean threat actors were likely active in underground markets and maintained relationships with top Russian-speaking criminal cybergroups such as TA505. The firm found that malware written and meant to be used by North Korean actors was likely being delivered via network infrastructure belonging to Russian cybercriminals.
"The cybercriminal underground provides the North Koreans with various tools, compromised system accesses, and datasets to commit cybercrimes," says Mark Arena, CEO at Intel 471.
In specific instances mentioned in last year's report, Russian-speaking cybercriminals provided North Korean threat actors with access to financial institutions, Arena says.
"Performing follow-up intrusion activity within financial institutions is a complex task that North Korean threat actors have been successfully doing for a number of years," he says.
That's the reason why Russian-speaking cybercriminals leverage North Korean threat actors to carry out this activity, Arena adds.
"It's likely that the criminal proceeds of this activity would be shared between the Russian-speaking cybercriminals and the North Korean threat actors performing this activity," he says.
Others, including NTT Security and SentineOne, have pointed to a potential collaboration between the Lazarus Group and Russia-based threat actors after spotting the former use an attack toolset developed by the latter to break into targeted networks.
Meanwhile, the details released today by the FBI, CISA, and Treasury Department about AppleJeus pertain to a North Korean campaign to steal cryptocurrency from exchanges and financial institutions.
As part of the campaign, the Lazarus Group is believed to have developed and distributed seemingly legitimate cryptocurrency trading apps that contained malware for stealing cryptocurrency. The malware is designed to attack both Windows and Mac platforms and was typically planted on a site that appeared to belong to a legitimate cryptocurrency trading company, the FBI and the others said.
In addition, the threat actors also distributed the malware via phishing and other social engineering tricks. Organizations in multiple industries have been targeted in the campaign, including government, finance, energy, technology, and telecommunications. Victims have included organizations in the United States and more than two dozen other countries, such as Canada, China, Germany, India, Italy, and Japan.
The technical details released today about AppleJeus cover versions of the malware from the first one, hidden in a Trojanized cryptocurrency app called Celas Trade Pro, to version 7 of the malware called "Ants2Whale," which was released in September 2020.