

The indictment contends that Park Jin Hyok, 36, Kim Il, 27, and Jon Chang Hyok, 31, and stole $1 billion US dollars worth of money and cryptocurrency in multiple cyberattacks targeting financial and fintech institutions as part of their work for the North Korean military intelligence services. This local government department, when translated to English, is called “The Reconnaissance General Bureau”.
Images of the accused suspects: Park Jin Hyok, Kim Il and Jon Chang Hyok (Photo credit: US Justice Dept via the LA Times)
Before the indictment, a series of cyberattacks against Sony Entertainment, the Bangladesh Bank, entertainment firms, various defense and energy companies, among others—in Mexico, Indonesia, Vietnam, Pakistan, the Philippines, South Korea, and the US and UK—was attributed to Lazarus, also known as Hidden Cobra or APT38.
North Korean threat actors are renowned for their aggressive financial motivation, given the limitation on their economic structure and disadvantageous stand on foreign trade. North Korea is largely dependent on trade and foreign aid from China, and multiple international sanctions have been placed against the state for their harsh stand on nuclear weapons and longstanding cases of human rights violations.
Their operations have brought about noticeable shifts from targeting private users, to large-scale attacks on the infrastructure of the organization, to targeting cryptocurrency users.
While large-scale attacks targeting organizational infrastructure require a greater investment in time and effort, the outcome of a successful, sophisticated attack can result in substantially greater gains. Cryptocurrency users have also been a viable target for the group, as stolen funds are much easier to move through territorial borders while evading detection.
Cyberint’s Research Team highlights the following findings on their SWIFT attacks, which were the main focus of the indictment:
Nowadays, there are over 11,000 financial institutes using SWIFT (Society for Worldwide Interbank Financial Telecommunication) for executing electronic funds transfers. SWIFT, also known as the “backbone” of international banking, transports financial messages in a highly secure way but does not hold accounts for its members.
North Korean threat actors leverage the SWIFT system to steal money, while demonstrating extensive knowledge about the system behavior and operation.
The attacks targeting SWIFT share similar pattern:
Based on past campaigns, this is the general flow of SWIFT systems attack:
[1] Finnegan, Michael, and Del Quintin Wilber. North Korean Military Hackers Indicted in Cyberplot to Rob Banks, Attack Companies. 17 Feb. 2021
[2] Kaspersky (2018), LAZARUS UNDER THE HOOD
[3] Flashpoint, Analysts Team. “Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties.” 15 Jan. 2019. Accessed 18 Feb. 2021.
[4] Johnson, AL. “Attackers Target Dozens of Global Banks with New Malware .” Endpoint Protection – Symantec Enterprise, 2 Dec. 2017.
[5] Team, Symantec Security Response, et al. “What You Need to Know about the WannaCry Ransomware.” Symantec Blogs, .
[6] “Malware Analysis Report (AR19-100A).” Cybersecurity and Infrastructure Security Agency CISA.
[7] Shevchenko, Sergei. Two Bytes to $951m, Bae Systems, 25 Apr. 2016.
[8] Cimpanu, Catalin. “Hackers Crashed a Bank’s Computers While Attempting a SWIFT Hack.” BleepingComputer, BleepingComputer, 11 June 2018, .
[9] Threat TeamBluVector’s Threat Report is written by BluVector’s expert security team. “Lazarus Group Uses KillDisk as a Distraction for SWIFT Attacks.” Home, 28 Jan. 2020, www.bluvector.io/threat-report-lazarus-group-killdisk-swift/.