A federal indictment unsealed today charges three North Korean computer programmers with a wide-ranging criminal conspiracy of destructive cyberattacks including of Sony Pictures Entertainment, AMC Theatres and Mammoth Screen.
The list of crimes cited by the Department of Justice includes the cyberattack on Sony Pictures Entertainment in November of 2014 in retaliation for The Interview, a movie that depicted the fictional assassination of North Korean leader Kim Jong Un; the December 2014 targeting of AMC Theatres, which was scheduled to show the film; and a 2015 intrusion into Mammoth Screen, which was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
The indictment, filed in the U.S. District Court in Los Angeles, alleges that Jon Chang Hyok, Kim Il and Park Jin Hyok were members of units of the Reconnaissance General Bureau (RGB) — a military intelligence agency of the Democratic People’s Republic of Korea (DPRK) — engaged in criminal hacking. Park was previously charged in a criminal complaint involving the Sony hack unsealed in September, 2018.
The trio’s other alleged crimes include stealing and extorting more than $1.3 billion of money and cryptocurrency from financial institutions and companies; creating and deploying multiple malicious cryptocurrency applications; and developing and fraudulently marketing a blockchain platform.
“As laid out in today’s indictment, North Korea’s operatives, using keyboards rather than guns, stealing digital wallets of cryptocurrency instead of sacks of cash, are the world’s leading bank robbers,” said Assistant Attorney General John C. Demers of the Justice Department’s National Security Division. “The Department will continue to confront malicious nation state cyber activity with our unique tools and work with our fellow agencies and the family of norms abiding nations to do the same.”
“The scope of the criminal conduct by the North Korean hackers was extensive and long-running, and the range of crimes they have committed is staggering,” said Acting U.S. Attorney Tracy L. Wilkison for the Central District of California. “The conduct detailed in the indictment are the acts of a criminal nation-state that has stopped at nothing to extract revenge and obtain money to prop up its regime.”
The North Korean military hacking units are known by multiple names in the cybersecurity community, including Lazarus Group and Advanced Persistent Threat 38 (APT38).
The Sony cyberattack froze Sony’s computer systems and resulted in the disclosure of tens of thousands of leaked and sometimes embarassing emails and other materials. Sony canceled the theatrical release the Seth Rogen spoof comedy, The Interview, after threats were made to theaters and posted it on YouTube instead. The studio eventually settled a class-action suit by employees over leaked information, agreeing to pay $8 million.
That attack was revenge. Today, the DOJ today cited an updated “broad array of criminal cyber activities undertaken by the conspiracy, in the United States and abroad, for revenge or financial gain.”
The allegations Include attempts from 2015 through 2019 to steal more than $1.2 billion from banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and Africa by hacking the banks’ computer networks and sending fraudulent Society for Worldwide Interbank Financial Telecommunication (SWIFT) messages.
The DOJ also alleges the creation of the destructive WannaCry 2.0 ransomware in May 2017, and extortion of companies from 2017 through 2020 involving the theft of sensitive data and deployment of other ransomware, as well as the development of multiple malicious cryptocurrency applications from March 2018 through at least September 2020 which would provide the North Korean hackers a backdoor into the victims’ computers.