The U.S. government has charged three men in relation to a string of financially motivated cyber attacks linked to the North Korean Lazarus (aka Appleworm) group. The attackers stole approximately $1.3 billion from a range of financial institutions and cryptocurrency exchanges.
In a second case, a Canadian-American citizen has pleaded guilty to involvement in a money laundering scheme linked to heists organized by the Lazarus group.
The charges relate to a number of financially motivated attacks, including several investigated by Symantec, a division of Broadcom (NASDAQ: AVGO).
Banking attacks
Lazarus was linked to a 2016 attack that stole US$81 million from the Bangladesh Central Bank and a number of other attacks against banks in Asia and South America. The attacks prompted an alert by payments network SWIFT, after it was found that the attackers had used malware to cover up evidence of fraudulent transfers.
In order to steal such massive sums, the attackers deployed relatively sophisticated malware, most notably Trojan.Banswift, which was used to wipe evidence of fraudulent transactions. Banswift shared code with an older Lazarus tool called Backdoor.Contopee. Contopee, along with two other pieces of Lazarus malware, Backdoor.Fimlis and Backdoor.Fimlis.B, were already being used in limited targeted attacks against the financial sector in South-East Asia.
Financially motivated attacks continued into 2017, lazarus three north koreans charged financially motivated attacks
