US charges three North Koreans for major hacks and cyber-thefts

The United States Justice Department has charged three computer programmers working for the North Korean military with using cross-border cyberattacks to raise money for North Korea and its leader Kim Jong Un.

A federal indictment unsealed in federal court in Los Angeles, California alleges Jon Chang-hyok, age 31, Kim Il, age 27, and Park Jin-hyok, age 36, are members of North Korea’s military intelligence service, the Reconnaissance General Bureau.

The three hackers were responsible for a wide-ranging series of cyberattacks beginning in 2014 with the hack of Sony Pictures Entertainment and thefts from banks in Asia and Africa the indictment alleges.

The hackers extorted or stole more than $1.3bn in cash and cryptocurrency, the US Justice Department said in a press release announcing the charges.

“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” said acting US Attorney Tracy Wilkison.

“The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime,” Wilkison said.

The North Korean military hacker units are known in cybersecurity circles as “Lazarus Group” and “Advanced Persistent Threat 38 (APT38)”, the Justice Department said.

The hackers targeted Sony Pictures in retaliation for the comedic movie The Interview which had depicted the assignation of North Korea’s leader, according to the DOJ.

Using fake interbank messages, the hackers attempted to steal from financial institutions in Bangladesh, Vietnam, Taiwan, Mexico, Malta and several African countries, the indictment alleges.

Other alleged schemes included a $6.1m ATM heist from Bank Islami in Pakistan, creation of the destructive WannaCry 2.0 ransomware used to extort companies and the UK’s National Health Service.

The North Korean hackers allegedly stole $75m from a Slovenian cryptocurrency company, $25m from an Indonesian cryptocurrency company, and nearly $12m from a New York firm using a malicious cryptocurrency back door.

At times, the three North Korean hackers worked from locations in other countries including Russia and China, the US officials said.

Multiple spear-phishing campaigns targeted employees of US defence contractors, energy, aerospace and technology companies, as well as the US Department of State and Department of Defense, officials alleged.

Park Jin-hook had been previously charged by US authorities in the Sony Pictures hack and theft in a cyber-heist from Bangladesh’s central bank.

In addition to the criminal charges, which are unlikely to reach adjudication in any US court because the three individuals are located in North Korea, the FBI and the US Department of Homeland Security issued a public advisory on the North Korean cryptocurrency malware.