US names three North Koreans in laundry list of cybercrime charges

The US Department of Justice (DOJ) has just unsealed a lengthy list of cybercrime charges against three North Koreans.

The DOJ explicitly named the three accused men as Jon Chang Hyok (31 years old), Kim Il (27), and Park Jin Hyok (36), alleging them to be part of a North Korean hacking group that you may have heard referred to over the years as APT38 or the Lazarus Group.

APT is shorthand for Advanced Persistent Threat, a jargon term for malware that is designed not only to infect a computer but also to remain in place and to stay active even after the current user logs off or reboots the device. Malware that is persistent essentially runs quietly but continuously in the background until someone spots it and removes it. Sadly, most modern malware has persistence, so it doesn’t magically vanish when you exit your browser or turn off your computer.

According to the indictment, the three men are said to have been criminally active from “no later than September 28, 2009, and continuing through [to] at least December 8, 2020.”

This means that Kim Il (who apparently also went by the name Tony Walker) allegedly got started when he was still a teenager, because he would have been just 15 or 16 years old back in 2009.

The charge sheet makes interesting reading, enumerating 45 specific instances of alleged criminality, referred to formally in the charge sheet as “Overt Acts 1 to 45.”

We advise you to peruse this list and ask yourself, for each Overt Act, the questions: “How well would my own network and staff block an attack of this sort?”, as well as “If we didn’t block it up front, how quickly would we spot it afterwards, before further harm could be done?”

The criminal charges include:

  • Carrying out the infamous Sony Pictures megahack back in 2014. Data stolen allegedly included not only Sony’s intellectual property but also personal information about tens of thousands of employees, including salary and contract details, with some reports suggesting that a whopping 100TB of corporate data was stolen.
  • Hacking into banks and compromising their ATM (cashpoint) networks to enable fraudulent withdrawals. This sort of crime generally involves recruiting so-called “casher crews” in one or more cities around the world who go on ATM withdrawal sprees, typically over one adrenaline-filled night, running from cash machine to cash machine and taking out the maximum per-transaction limit (typically just a few hundred dollars) each time. The casher crews typically give the withdrawn cash in bulk to a handler in return for a cut of the takings.
  • Hacking into banks and issuing fake money transfer instructions using the SWIFT payment network. The DOJ claims the accused got away with more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa.
  • Extorting money via ransomware. The ransomware variants that the accused are alleged to have created and used include the infamous and fast-spreading WannaCry virus of 2017, but the allegations extend right up to 2020. The extortion charges cover both types of blackmail that we commonly see in ransomware attacks these days, namely squeezing the victim to “buy back” the decryption keys to recover any scrambled data, as well as paying “hush money” so the criminals will delete any copies of company data that they stole during the attack.
  • Stealing cryptocurrency via booby-trapped cryptocurrency apps. The allegations refer to range of malicious apps peddled by the accused. These went by innocent-enough names such as Celas Trade Pro, iCryptoFx, Union Crypto Trader, Kupay Wallet and CryptoNeuro Trader. Apparently, these malware programs ended up installed by staff at numerous cryptocurrency trading companies, who quickly found their cryptocurrency holdings depleted by fraudulent outward transfers totalling more than $100 million.
  • Operating a fraudulent Initial Cryptocoin Offering (ICO) called Marine Chain Token. Because Bitcoin was worth quite literally zero when it began, those who mined or acquired bitcoins early on and never sold up have not merely doubled or trebled their money, but are sitting on millionfold or even greater returns. This has led to a frenzy of investors keen to pay real money (or to hand over existing cryptocurrency) to startup comanies who promise to let early adopters get in right at the start of their new cryptocurrency by handing out cryptocoins created especially for the ICO. In an ICO scam, those initial cryptocoins never get issued at all. The scammers simply run off with the money.
  • Launching spearphishing attacks against numerous US organizations. Simply put, spearphishing is just plain old phishing, but where the content of the fraudulent messages is carefully chosen to sound specifically interesting or important to the recipient. The indictment alleges that the accused deliberately targeted defense contractors, energy companies, aerospace companies, technology companies, the US Department of State, and the US Department of Defense.

What to do?

It’s unusual to see a single indictment accusing a small gang of alleged crooks of such a varied list of cybercrimes…

…but each crime on the list is depressingly familiar these days.

Most of us, or perhaps all of us, will have first hand experience of attempted cybercrime attacks, such as ransomware-infected email attachments, booby-trapped web links and fraudulent investment offers; some of us, sadly, will actually have been victims ourselves, or will know an individual or a company who was.

Worse still, the risks are compounded these days by the increasing need to work remotely and to keep contact with colleagues, even people we don’t know very well or have yet to meet in person, over the imperfect medium of teleconferencing, instant messaging, email and the like.

We therefore invite you to read a brand new Sophos White Paper entitled Securing the Anywhere Organization.

Yes, this paper showcases our own products and services, and how to use them for defence-in-depth.

But even if you aren’t using any Sophos offerings, you will find useful checklists to help you answer those questions we proposed at the top of this article: “How likely is it that I’d block an attack of type X outright?”, and “How soon would I notice if the crooks were sneaky enough that I didn’t stop it up front?”