Documents Unsealed: North Korea's Global Hacking Campaign

It may be the most complete picture we've ever had of North Korean hacking campaigns.

It shows the nation-state's sweeping efforts to steal $1.3 billion from the world—and to avenge its name after any perceived slight.

And the targets in this case are widespread: banks, ATMs, cryptocurrency exchanges, online casinos, movie studios such as Sony Pictures, and theater chains such as AMC. The list goes on.

In court documents unsealed this week, the United States Department of Justice revealed its hand to show new evidence.

This included wanted posters of suspects, explained attack vectors of  North Korea backed hackers, and tied the efforts to some recognizable threat actor names: Lazarus Group and Advanced Persistent Threat 38 (APT38).

"As laid out in today's indictment, North Korea's operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world's leading bank robbers," said Assistant Attorney General John C. Demers of the DOJ's National Security Division.

North Korea backed cyberattacks and U.S., global targets

The unsealed documents highlight a number of attack targets and motives in an effort to hack, digitally intrude, and defraud. 

"The hacking indictment filed in the U.S. District Court in Los Angeles alleges that Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36, were members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People's Republic of Korea (DPRK), which engaged in criminal hacking."

• Cyberattacks on the Entertainment Industry: The destructive cyberattack on Sony Pictures Entertainment in November 2014 in retaliation for "The Interview," a movie that depicted a fictional assassination of the DPRK's leader; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
• Cyber-Enabled Heists from Banks: Attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks' computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.
• Cyber-Enabled ATM Cash-Out Thefts: Thefts through ATM cash-out schemes—referred to by the U.S. government as "FASTCash"—including the October 2018 theft of $6.1 million from BankIslami Pakistan Limited (BankIslami).
• Ransomware and Cyber-Enabled Extortion: Creation of the destructive WannaCry 2.0 ransomware in May 2017, and the extortion and attempted extortion of victim companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware.
• Creation and Deployment of Malicious Cryptocurrency Applications: Development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020—including Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale—which would provide the North Korean hackers a backdoor into the victims' computers.
• Targeting of Cryptocurrency Companies and Theft of Cryptocurrency: Targeting of hundreds of cryptocurrency companies and the theft of tens of millions of dollars' worth of cryptocurrency, including $75 million from a Slovenian cryptocurrency company in December 2017; $24.9 million from an Indonesian cryptocurrency company in September 2018; and $11.8 million from a financial services company in New York in August 2020 in which the hackers used the malicious CryptoNeuro Trader application as a backdoor.
• Spear-Phishing Campaigns: Multiple spear-phishing campaigns from March 2016 through February 2020 that targeted employees of United States cleared defense contractors, energy companies, aerospace companies, technology companies, the U.S. Department of State, and the U.S. Department of Defense.
• Marine Chain Token and Initial Coin Offering: Development and marketing in 2017 and 2018 of the Marine Chain Token to enable investors to purchase fractional ownership interests in marine shipping vessels, supported by a blockchain, which would allow the DPRK to secretly obtain funds from investors, control interests in marine shipping vessels, and evade U.S. sanctions.

North Korean hackers indicted, now have FBI wanted posters

The indictment says the suspects in this case are part of North Korean military hacking units known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38). Here are the wanted posters for the three suspects. [Click each one to expand and read about their alleged cyber exploits.]

North Korean hacking methods and attack vectors

The indictment of these suspects is 33 pages long, so we're only scratching the surface here. But a couple of key paragraphs from the court documents explain a popular step-by-step strategy North Korea nation-state hackers frequently follow:

"The computer intrusions often started with fraudulent, spear-phishing messages—emails and other electronic communications designed to make intended victims download and execute malicious software ('malware') developed by the hackers.

At other times, the spear-phishing messages would encourage intended victims to download or invest in a cryptocurrency-related software program created by the hackers, which covertly contained malicious code and/or would subsequently be updated with malicious code after the program was downloaded (a 'malicious cryptocurrency application').

To hone the spear-phishing messages, the hackers would conduct internet research regarding their intended victims and would send 'test' spear-phishing messages to each other or themselves. The hackers employed false and fraudulent personas when they sent spear-phishing messages to victims.

Once they gained access to a victim computer system, the hackers would conduct research within the system, attempt to move laterally within a computer network, and attempt to locate and exfiltrate sensitive and confidential information.

In both revenge and financially-motivated computer attacks, the hackers would, at times, execute commands to destroy computer systems, deploy ransomware, or otherwise render the computers of their victims inoperable."

Court documents also reveal the hackers attempted to throw up false flags to try to get other nation-states blamed for the attacks. This is one of the reasons cyberattack attribution is so difficult.

Nation-state expert: this is why North Korea hacks

It's no secret that North Korea is in dire financial straits because of widescale economic sanctions against it. 

CNN Analyst and nation-state cyber expert Col. Cedric Leighton recently appeared on The SecureWorld Sessions podcast. In a conversation focused on the Russia-linked SolarWinds attack, the conversation turned to other nation-state actors including North Korea. 

Here is part of what Leighton had to say:

"They are literally the Hermit Kingdom, which is what they used to call Korea back in the late 19th century. But this version of the Hermit Kingdom is, of course, a totalitarian communist entity and their efforts at regime survival include making as much money as they possibly can.

One of the things they're doing from a cybersecurity perspective is actually quite innovative. It's a fairly recent development, but they've been able to get into certain security blogs that cybersecurity researchers use. And they've been able to dupe a few of them into downloading malware.

This is how they can trace research efforts in the cybersecurity realm, which is a pretty sophisticated thing to do, especially for a country where the general population has no internet access and very limited cell phone coverage.

They are going to preserve their dynasty and do their best to preserve their way of life and a self-reliant philosophy. And that is why they are engaged in these operations, which can be quite a thorn in our side."

Listen to the podcast episode which covers North Korea, Russia, China, and Iran cyberthreats, with discussion on the SolarWinds supply chain attack fallout:

What is the point of charging North Korean hackers?

FBI Deputy Director Paul Abbate says by arresting facilitators, seizing funds, and charging those responsible for the hacking conspiracy, the FBI helps create some consequence for our cyber enemies. 

And it certainly helps reveal the depth and breadth of the threat, for organizations and lawmakers.

"This case is a particularly striking example of the growing alliance between officials within some national governments and highly sophisticated cyber-criminals," said U.S. Secret Service Assistant Director Michael R. D'Ambrosio. "The individuals indicted today committed a truly unprecedented range of financial and cyber-crimes: from ransomware attacks and phishing campaigns, to digital bank heists and sophisticated money laundering operations. With victims strewn across the globe, this case shows yet again that the challenge of cybercrime is, and will continue to be, a struggle that can only be won through partnerships, perseverance, and a relentless focus on holding criminals accountable."