DOJ charges three in WannaCry attacks, attempts to steal $1.3B

North Korea flag and program code shutterstock id 1198193245 By Mehaniq 

The Justice Department unsealed a case against three North Korean hackers on Wednesday, alleging the group is part of a military intelligence service responsible for the 2017 WannaCry attacks as well as numerous attempts in recent years to steal $1.3 billion in money and cryptocurrencies.

DOJ announced it is charging Jon Chang Hyok and Kim Il as well as Park Jin Hyok, who was previously connected to WannaCry in a 2018 indictment, with conspiracy to commit to wire fraud and bank fraud. The government also unsealed a separate but related charge against Ghaleb Alaumary, a dual U.S.-Canadian citizen, who is alleged to have conspired with the North Koreans to launder millions of dollars from a Maltese bank in Feb. 2019.

The indictment was filed Dec. 8, 2020 in the U.S. District Court for the Central District of California.

The federal government has previously attributed the WannaCry attacks to North Korea and accused Park of being part of the Lazarus Group, an advanced persistent threat hacking group associated with the North Korean government. The new indictment alleges that Jon, Kim and Park are specifically part of the country's military intelligence service, the Reconnaissance General Bureau.

"Simply put, the regime has become a criminal syndicate with a flag, which harnesses its state resources to steal hundreds of millions of dollars," said Assistant Attorney General John Demers.

The indictment says the group played a role in the 2014 attack on Sony Pictures Entertainment in retaliation for the depiction of North Korean its comedy feature "The Interview," multiple attempts to steal currencies from banks in several different countries, delivering malicious code to U.S. banks in order to withdraw limitless money from ATMs, spear-phishing campaigns targeted at U.S. government contractors and launching cryptocurrencies websites for trading that conceal their connection to the North Korean government.

"What we've seen almost uniquely out of North Korea is trying to raise funds through illegal cyber activities," Demers told reporters today. "Their need as a country is for currency because of their economic system and because of the sanctions that are placed on them."

He added that the North Koreans' focus on stealing currency through their cyber activities is "not something we really see from actors in China and Russia or in Iran."

In addition to the criminal charges, the FBI, Department of Homeland Security and Cybersecurity and Infrastructure Security Agency also published a malware analysis report on a family of malicious North Korean cryptocurrency applications referred to as "AppleJeus."

"The joint cybersecurity advisory and malware analysis provides the cybersecurity community and the public with information about North Korean malicious cryptocurrency applications in order to prevent compromise and intrusion as well as to remedy infections that have already occurred," said Kristi Johnson, assistant director in charge of the FBI's Los Angeles field office.

The North Koreans have used AppleJeus since 2018 to pose as a legitimate cryptocurrency trading company. In addition to the trading websites, the hackers also use phishing, social networking and "social engineering techniques to lure users" into downloading malware, according to the advisory.

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected