For the third time in less than a month, the United States Department of Justice (DOJ) announced a major enforcement action against an international cybercriminal organization that infiltrated public and private computer networks, fundamentally compromised these systems, and sought to obtain over a billion dollars from this illicit access. This past week’s indictment, which was obtained by the United States Attorney’s Office for the Central District of California, is particularly notable in that it: (1) shines a spotlight on the operations of a decade-long effort by a North Korean state sponsored cybercriminal organization to inflict monetary and reputational harm on targeted government agencies and contractors, financial institutions, cryptocurrency platforms, online casinos and entertainment industry companies; and (2) and highlights the broad array of methods utilized by this organization to evade network cybersecurity protections, exploit computer networks, and steal intellectual property and corporate secrets, while also conducting cyber-extortions, ransomware attacks, and cyber-enabled heists of bank-held funds, ATMs, and cryptocurrency. The threat posed by this organization is sufficiently acute that the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Treasury (Treasury) simultaneously released a joint advisory addressing one of the organization’s most invasive tools, the Applejeus malware, that has been used to conduct large-scale cyber-intrusions, including in this case.
The sweeping indictment documents the activities of the notorious cybercriminal organization known within the cybersecurity community as both the Lazarus Group and Persistent Threat 38, which is comprised of members and associates of the North Korean military intelligence agency called the Reconnaissance General Bureau (RGB). Over the past decade, the three charged defendants, along with their co-conspirators, aggressively sought to advance the interests of the RGB and the North Korean government through a series of carefully coordinated cyberattacks that were designed to extort and steal over 1.3 billion dollars in fiat and cryptocurrency.
Reflecting its state sponsored roots, the organization utilized highly sophisticated, often cutting edge, tools to breach security walls, infect databases, and raid these databases of confidential information and assets, including intellectual property and cryptocurrency. For example, rather than engage in typical blunt-force phishing intrusions, the co-conspirators allegedly groomed their targets into accepting the intrusions by conducting background research and engaging in a series of trust-building communications with the targets. After having established a relationship, they would send a link that either contained malware or that could be updated later to include malware. The organization also exploited “watering holes,” embedding malware within legitimate websites, thereby infecting the computers of users who accessed these sites. Notably, the organization also developed and employed its own malware, including Applejeus, which exists in multiple iterations and is designed to mirror legitimate cryptocurrency wallet and exchange platforms, and created a separate fraudulent blockchain platform that allowed it to secure and control investments in marine shipping vessels. When its schemes largely were completed, corrupted databases often would be subject to ransomware attacks or rendered inoperable.
The damage resulting from these cyberattacks has been significant. Multiple government agencies and contractors were targeted because of the sensitive nature of their work. A large international entertainment company had intellectual property stolen and confidential information publicly released as retribution for releasing a movie that the RGB deemed offensive. Banks worldwide were subject to cyber-thefts in which corrupted databases received bogus SWIFT orders that collectively sought the fraudulent transfer of more than a billion dollars and hacked ATM machines were directed to dispense cash on command. Cryptocurrency platforms were breached and a bogus platform was created, together allowing the organization to secure control of tens of millions of dollars of cryptocurrency.
Importantly, the threat from Lazarus Group members, including the charged defendants, remains ongoing. While DOJ also announced that a Canadian-American citizen had pled guilty to a money laundering charge stemming from related conduct, the charged defendants all remain fugitives and the Lazarus Group’s involvement in state sponsored cyberattacks is expected to continue in the future. Therefore, private industry, particularly those involved in the previously targeted financial sectors, should remain vigilant of the tactics utilized by this organization and should consider employing the mitigation measures recommended by CISA, the FBI and Treasury in their accompanying guidance, discussed above.