DOJ charges three in WannaCry attacks, attempts to steal $1.3B

In addition to unsealing the charges against three North Korean hackers, the U.S. government also published indicators of compromise for a family of malicious cryptocurrency applications called "AppleJeus."

North Korea flag and program code shutterstock id 1198193245 By Mehaniq

The Justice Department unsealed a case against three North Korean hackers on Wednesday, alleging the group is part of a military intelligence service responsible for the 2017 WannaCry attacks as well as numerous attempts in recent years to steal $1.3 billion in money and cryptocurrencies.

DOJ announced it is charging Jon Chang Hyok and Kim Il as well as Park Jin Hyok, who was previously connected to WannaCry in a 2018 indictment, with conspiracy to commit to wire fraud and bank fraud. The government also unsealed a separate but related charge against Ghaleb Alaumary, a dual U.S.-Canadian citizen, who is alleged to have conspired with the North Koreans to launder millions of dollars from a Maltese bank in Feb. 2019.

The indictment was filed Dec. 8, 2020 in the U.S. District Court for the Central District of California.

The federal government has previously attributed the WannaCry attacks to North Korea and accused Park of being part of the Lazarus Group, an advanced persistent threat hacking group associated with the North Korean government. The new indictment alleges that Jon, Kim and Park are specifically part of the country's military intelligence service, the Reconnaissance General Bureau.

"Simply put, the regime has become a criminal syndicate with a flag, which harnesses its state resources to steal hundreds of millions of dollars," said Assistant Attorney General John Demers.

The indictment says the group played a role in the 2014 attack on Sony Pictures Entertainment in retaliation for the depiction of North Korean its comedy feature "The Interview," multiple attempts to steal currencies from banks in several different countries, delivering malicious code to U.S. banks in order to withdraw limitless money from ATMs, spear-phishing campaigns targeted at U.S. government contractors and launching cryptocurrencies websites for trading that conceal their connection to the North Korean government.

"What we've seen almost uniquely out of North Korea is trying to raise funds through illegal cyber activities," Demers told reporters today. "Their need as a country is for currency because of their economic system and because of the sanctions that are placed on them."

He added that the North Koreans' focus on stealing currency through their cyber activities is "not something we really see from actors in China and Russia or in Iran."

In addition to the criminal charges, the FBI, Department of Homeland Security and Cybersecurity and Infrastructure Security Agency also published a malware analysis report on a family of malicious North Korean cryptocurrency applications referred to as "AppleJeus."

"The joint cybersecurity advisory and malware analysis provides the cybersecurity community and the public with information about North Korean malicious cryptocurrency applications in order to prevent compromise and intrusion as well as to remedy infections that have already occurred," said Kristi Johnson, assistant director in charge of the FBI's Los Angeles field office.

The North Koreans have used AppleJeus since 2018 to pose as a legitimate cryptocurrency trading company. In addition to the trading websites, the hackers also use phishing, social networking and "social engineering techniques to lure users" into downloading malware, according to the advisory.