The US Department of Justice (DOJ) announced on Thursday that it had unsealed a criminal complaint (PDF) charging a North Korea regime-backed programmer, Park Jin Hyok, with being part of a team that launched multiple cyberattacks.
Make that big, dreaded, infamous cyberattacks, including unleashing the global WannaCry 2.0 ransomware in 2017, the 2014 attack on Sony Pictures, and the 2016 $81m cyber heist that drained Bangladesh’s central bank.
Beyond those headline-grabbing cyber assaults, the encyclopedic, 127-page complaint details the hacking team’s other malicious activities, including attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.
The complaint alleges that Park, a North Korean citizen, was a member of a government-sponsored hacking team known as the “Lazarus Group” and that he worked for a North Korean government front company, Chosun Expo Joint Venture (aka Korea Expo Joint Venture or “KEJV”), to support cyber actions on behalf of the Democratic People’s Republic of Korea (DPRK).
Lazarus Group, also known as Guardians of Peace or Hidden Cobra, is a well-known cybercriminal group. In June 2017, US-CERT took the highly unusual step of sending a stark public warning to businesses about the danger of North Korean cyberattacks and the urgent need to patch old software to defend against them.
It specified Lazarus Group. The alert was unusual in that it gave details, asking organizations to report any detected activity from the Lazarus Group/Hidden Cobra/Guardians of Peace to the US Department of Homeland Security’s (DHS’s) National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch).
Specifically, US-CERT told organizations to be on the lookout for DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as SMB worm malware of the sort blamed for multiple waves of the WannaCry attacks.
The criminal complaint, filed on 8 June in Los Angeles federal court, says that Park worked as a programmer for over a decade for Chosun Expo Joint Venture, which had offices in China and the DPRK and which is affiliated with Lab 110: what the DOJ says is a component of DPRK military intelligence.
Besides programming for Chosun Expo, working for paying clients around the world, Park and his team also allegedly spent their time on spear-phishing campaigns, malware attacks, data exfiltration, swindling money out of bank accounts, ransomware extortion, and propagating “worm” viruses to create botnets.
The complaint focuses on these four headline-grabbing attacks:
- The November 2014 attack on Sony Pictures Entertainment in retaliation for the movie The Interview, a Seth Rogen/James Franco comedy about a plot to kill North Korea’s leader Kim Jong-Un. It never saw the light of day: Sony pulled the movie after theaters received threats specifically mentioning the 9/11 attacks on New York and the Pentagon. The DOJ says that the hackers gained access to Sony’s network by sending malware to Sony employees, after which they stole confidential data, published a massive trove of embarrassing communications on WikiLeaks, threatened Sony executives and employees, and damaged thousands of computers. Sony suffered a good deal of fallout over the attack, including ex-employees suing the company for failing to protect their private information.
- The Bangladesh Bank heist. The criminal complaint alleges that Park and his co-hackers accessed the bank’s computer terminals that interfaced with the Society for Worldwide Interbank Financial Telecommunication (SWIFT) communication system after compromising the bank’s computer network with spear-phishing emails, then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of NY to transfer funds from Bangladesh to accounts in other Asian countries. The team also went after several other banks in various countries from 2015 through 2018 using similar methods and “watering hole attacks,” attempting the theft of at least $1 billion.
- The hackers went after US defense contractors in 2016 and 2017, including Lockheed Martin, in a spear-phishing campaign. The US says that investigators detected some of the same aliases and accounts that were used in the Sony attack, and that sometimes they were accessed from North Korean IP addresses and contained malware “with the same distinct data table found in the malware” used against Sony and certain banks. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, according to the complaint, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea. “The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful,” the DOJ said.
- WannaCry 2.0 infected hundreds of thousands of computers around the world in May 2017, causing extensive damage, including paralyzing computers at the United Kingdom’s National Health Service (NHS). Park’s team allegedly developed that malware, along with two prior versions of the ransomware.
The criminal complaint includes charts that visualize Lazarus Group’s attacks and intrusions and show how Park is implicated, including email and social media accounts that connect to each other and were used to send spear-phishing messages; aliases and malware “collector accounts” used to store stolen credentials; common malware code libraries; proxy services used to mask locations; and North Korean, Chinese, and other IP addresses. The US says that some of the group’s infrastructure was used across multiple instances of their cyber-marauding.
Assistant Attorney General Demers said in a statement that the scale and scope of the cyber-crimes alleged in the complaint are “staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations.”
The complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage. The investigation, prosecution, and other disruption of malicious state-sponsored cyber activity remains among the highest priorities of the National Security Division and I thank the FBI agents, DOJ prosecutors, and international partners who have put years of effort into this investigation.
As to what happens next, we’ll have to wait and see.
5 comments on “North Korean programmer charged for Sony, WannaCry attacks and more”
It’s odd that most of the crimes were for profit, they know an individual involved, but label it a state sponsored attack.
I just can’t see Kim Jung or even a thief bothering to expose things (discrimination based on gender) to embarrass Sony for things NK still does themselves. I could be convinced he was hired by someone at Sony, but it’s fishy.
While it’s encouraging US intelligence has been able to track some of these events back to an individual, given he’s executing state-sponsored hacking on behalf of one of the most brutal dictatorships in the world, it almost doesn’t matter who he is. I highly doubt he will ever be allowed to leave the DPRK, certainly never to a country with extradition, and ultimately all of this activity is likely to be at the request of or with approval of KJU.
From what I think I gleaned from the charge sheet, the accused leaves (or has left) DPRK regularly and has lived in PRC for long periods. That may not greatly increase his chance of ending up in a US court, but it does seem that your assumption that he’ll won’t “ever be allowed to leave [North Korea]” isn’t correct. For all we know he may have a stash of cash squirrelled away overseas, or at least “over the river” in the case of China.
Thanks for the clarification. I’d still assert that visiting the PRC, as friendly as it is/was with the DPRK, doesn’t necessarily indicate his travel is anything but state-approved or requested. No doubt he’ll be on all US watch lists for travel regardless.
I assume the same thing – I was just noting that it seems he was given quite some latitude to travel already, though (if the allegations are true) he may not want to do so any more, if he’s still allowed out.