North Korean Hackers Indicted
On Wednesday 17 February, the Department of Justice unsealed a federal indictment wherein three North Korean hackers were indicted for participating in a criminal conspiracy ranging from destructive cyberattacks, data exfiltration, and fiat and cryptocurrency theft. The three men — Jon Chang Hyok, Kim Il, and Park Jin Hyok — worked for units under the Reconnaissance General Bureau (RGB), known to the Cybersecurity Community as The Lazarus Group. Park was previously charged in September 2018 for his activities related to the 2014 Sony Pictures hack, the 2015-2019 SWIFT Banking hacks, and the 2017 WannaCry ransomware attack. Additionally, a Canadian-American — Ghaleb Alaumary — was indicted for his role in helping the North Korean hackers launder money stolen in cyber-enabled bank heists. The activities listed in this indictment demonstrate the prioritization of eCrime for DPRK-backed threat actors.
North Korean Threat Actors
Unlike other actors in the cyber threat landscape, all North Korea-nexus cyber threat actors are state-sponsored. The bulk of North Korean cyber capabilities are probably subordinate to Bureau 121 of the RGB. Open sources indicate Bureau 121 may have been elevated to a higher-level unit, under the direct purview of Kim Jong Un. Additionally, open sources mention Unit 80, focused on financial crimes, and Unit 91, focused on information theft and espionage, as being subordinate units to Bureau 121. In the United States, private sector cybersecurity firms track North Korean cyber threat activity as Lazarus Group aka Labryinth Chollima, Hidden Cobra. The main subsets of the Lazarus Group are Advanced Persistent Threat (APT) 38 aka Bluenoroff, Stardust Chollima — focusing on financial crime; APT 37 aka Reaper, Ricochet Chollima, ScarCruft — focusing on espionage; Kimsuky aka Velvet Chollima, Thallium, Black Banshee — focusing on information theft; and Andariel aka Silent Chollima — focusing on espionage. Also, BeagleBoyz is a possible subset of APT 38 activity — focusing on financial crime.
In September of last year, DailyNK reported that Kim Son Il — formerly the director of the Korean Worker’s Party (KWP) Office 35 — was appointed as deputy director of the RGB, after Rim Kwang Il replaced Jang Gil Song as director. Rim is reportedly highly competent in tactical operations and focused on improving the technological capabilities of the RGB. Further, Kim’s experience as director of Office 35, responsible for managing intelligence collection and analysis, will be leveraged as the RGB expands its capabilities. Additionally, half of the existing heads of major departments in the RGB were reportedly replaced with new, younger personnel. This decision was likely made to further modernize North Korea’s Computer Network Operations (CNO), which may result in further sophistication of North Korean cyber-enabled intelligence collection and currency generation operations.
North Korean Cyber Activities
The activities listed in the indictment include the destructive Sony Pictures attack in 2014, the SWIFT banking hacks from 2015-2019, the WannaCry ransomware attack in 2017, Marine Chain token in 2017-2018, the FASTCash ATM cash-outs in 2018, cyber-enabled cryptocurrency theft from 2018-2020, and spear phishing campaigns targeting US critical infrastructure components from 2016-2020. Also, the indictment indicates that the three North Koreans were stationed in China, Russia, as well as other countries. This demonstrates that North Korean cyber activities are enabled by access to Chinese and Russian Internet Service Providers, along with other countries likely in Europe and Southeast Asia. Open source reporting has detailed North Korean clandestine operations in Europe, and previous reporting has revealed North Korean activities in the Philippines and Malaysia. North Korea maintains a geographically dispersed corps of clandestine operators, many of which are likely co-located at diplomatic missions.
Additionally, the indictment of Ghaleb Alaumary indicates that North Korean cyber threat actors are working collaboratively with other threat actors in the cyber underground. Ghaleb Alaumary has been a prolific actor in the cyber underground since at least 2012. Alaumary faces separate charges related to Business Email Compromise (BEC) activities in Georgia, and worked with Ramon Olorunwa Abbas aka Ray Hushpuppi — another prolific actor in the cyber underground — to launder funds for the North Koreans. Also, in September of last year, open source reporting suggested the possibility of cooperation between North Korea and Russia-nexus threat actor groups. Increase collaboration with other threat actors demonstrates the credibility that North Korean actors have acquired and provides the North Koreans with opportunities to use services provided by other cyber criminal groups. However, the arrest of Alaumary, and any information he gives up in exchange for sentencing considerations, underscores the criticality of law enforcement disrupting eCrime service providers. Targeting mule services, money laundering services, BEC services, and others, can result in unmasking APT groups and gaining a greater understanding of the cyber threat landscape.
Conclusion
North Korean cyber activities reflect its priorities following the 2017 United Nations Security Council Resolution sanctions, which represented the first time targeted sanctions were applied to the state. Though haphazardly enforced, these sanctions have resulted in degradation of North Korea’s currency generation operations, which has caused a shift in North Korea’s cyber activities. Since 2017, North Korean threat actors — to include traditionally espionage focused actors — have increasingly shifted towards currency generation through cyber-enabled bank heists, ransomware/extortion operations, and targeting cryptocurrency exchanges and companies. 2020 saw an explosion in ransomware/extortion activities among eCrime groups, and it is likely that North Korean threat actors will heavily target this space in the coming year. Organizations targeted by ransomware operators — such as those in the healthcare, financial services, and IT verticals — should consider including North Korean actors into their threat models.
Featured Image: DOJ Indictment
