On September 6, 2018, the U.S. government announced the unsealing of a 179-page criminal complaint filed in the U.S. District Court Central District of California (Los Angeles)[1] charging Park Jin Hyok (aka Jin Hyok Park and Pak Jin Hek), a North Korean citizen, for his participation in a conspiracy to conduct multiple destructive cyberattacks around the world resulting in damage to massive amounts of computer hardware, and the significant loss of data, money and other resources.[2]
According to the complaint Park participated in a government-sponsored hacking team known as the “Lazarus Group”’ and worked for a North Korean government front company, Chosun Expo Joint Venture (aka Korea Expo Joint Venture or “KEJV”), to support the DPRK government’s malicious cyber actions. Lazarus Group is the name that private security researchers (including Symantec, Novetta, and BAE) have given to the set of hackers who perpetrated the attacks on SPE, Bangladesh Bank, and other entities.[3]
The conspiracy’s malicious activities include the establishment of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment (SPE); and various other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.
Simultaneously, Treasury Secretary Steven Mnuchin announced that the Treasury’s Office of Foreign Assets Control (OFAC) designated Park and KEJV under Executive Order 13722 based on the malicious cyber and cyber-enabled activity alleged in the criminal complaint.[4]
The complaint charges Park with one count of conspiracy to commit computer fraud and abuse, for which there is a maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud, for which there is a maximum sentence of 20 years in prison.
Park was a computer programmer and worked for more than a decade for KEJV, which had offices in China and N. Korea. It is affiliated with Lab 110, a part of the N. Korean military intelligence. The conspiracy also engaged in malicious cyber activities, utilizing spear-phishing campaigns, destructive malware attacks, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and propagating “worm” viruses to create botnets.
The complaint describes several of the conspiracy’s alleged malicious cyber activities, both successful and unsuccessful, and in the U.S. and abroad, focusing in particular on four specific examples.
Attacks against Sony Pictures Entertainment (SPE)
In November 2014, the destructive attack on Sony Pictures Entertainment (SPE) in retaliation for the movie “The Interview”, a farcical comedy that depicted the assassination of the North Korean leader. The conspirators obtained access to SPE’s network by sending malware to SPE employees, and then stole confidential data, threatened SPE executives and employees, and damaged thousands of computers. The group also sent spear-phishing messages to other victims in the entertainment industry, including a movie theater chain and a U.K. company that was producing a fictional series involving a British nuclear scientist taken prisoner in North Korea.
Attacks against Bangladesh and Other Banks
In February 2016 the conspiracy stole $81 million from Bangladesh Bank, accessing the bank’s computer terminals that interfaced with the SWIFT communication system and then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of NY to transfer funds from Bangladesh to accounts in other Asian countries. The conspiracy obtained access to several other banks in various countries from 2015 through 2018 using similar methods and “watering hole attacks,” attempting the theft of at least $1 billion through such operations.
Attaching U.S. Defense Contractors
In 2016 and 2017, the conspiracy targeted various U.S. defense contractors, including Lockheed Martin, with spear-phishing emails. These emails used some of the same aliases and accounts seen in the SPE attack, at times accessed from North Korean IP addresses, and had malware with the same distinct data table found in the malware used against SPE and certain banks. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea. The efforts to infiltrate the computer systems of Lockheed Marti, the prime contractor for the THHAD missile system, were not successful.
Wannacry 2.0
In May 2017, a ransomware attack known as WannaCry 2.0 infected hundreds of thousands of computers around the work, causing extensive damage, including significantly impacting the UK’s National Health Service. The conspiracy is connected to the development of WannaCry 2.0, as well as two prior versions of the ransomware, through similarities in form and function to other malware employed by the hackers, and by spreading versions of the ransomware through the same infrastructure used in other cyber-attacks.
Investigators identified Park and his co-conspirators through a thorough investigation that identified and traced: email and social media accounts that connect to each other and were used to send spear-phishing messages; aliases, malware “collector accounts” used to store stolen credentials; common malware code libraries; proxy services used to mask locations; and North Korean, Chinese, and other IP addresses. The connections and signatures set forth in charts attached to the criminal complaint show that the attacks and intrusions were done by the same actors.
In connection with the unsealing of the criminal complaint, the FBI and prosecutors furnished cybersecurity providers and other private sector partners detailed information on accounts used by the conspiracy in order to help these partners in their own independent investigative activities and disruptive efforts.[5]
The complaint provides the most specific public accounting of North Korea’s cyberattacks around the world. The combination of indictment and OFAC sanctions has been a chief means by which the U.S. punishes cyber-attacks. It has used these mechanisms against Chinese and Russian hackers.
The North Korean cyber-attacks apparently were motivated by several goals, especially by the need by North Korea for funds, since it has long been isolated and subject to sanctions. The cyber-attacks against Sony were in retaliation for the farcical comedy on Kim Jung-on. The targeting of U.S. defense contracts apparently was motivated by a desire to control U.S. corporate behavior. WannaCry seemed to attempt to bring chaos to the West.[6]
The Obama Administration conducted cyber-attacks on North Korea’s missile program, months before the cyber-attack on Sony.[7]
According to the affidavit from an FBI agent featured in the Complaint, the Mandiant cybersecurity firm assisted in the investigations. The complaint has many technical details describing the attacks and linking the techniques to the Lazarus Group. The complaint has email and alias email accounts allegedly used by Park that were linked to cyberattacks on Sony and other victims.
As in the U.S. indictments against the Chinese and Russian hackers, incorporating detail provides credibility to the charges and helps show the world that U.S. law enforcement can identify nation-state.[8]
The evidence in the Complaint was obtained from multiple sources, including from analyzing compromised victim systems, approximately 100 search warrants for approximately 1,000 email and social media accounts accessed internationally by the subjects of the investigation, dozens of orders issued pursuant to 18 U.S.C. §§ 2703(d) and 3123, and approximately 85 formal requests for evidence to foreign countries and additional requests for evidence and information to foreign investigating agencies. Many of those records were obtained from providers of email, social media, or other online or communication services.[9]
Interestingly, for now the complaint only names Park as a defendant although the complaint alleges he worked as a part of a team. It is quite likely that a future complaint or indictment will name and charge some of the co-conspirators.
[1] United States v. Park Jin Hyok, U.S. District Court C.D.Ca., MJ 18-1479, Criminal Complaint, June 8, 2018 https://www.justice.gov/opa/press-release/file/1092091/download.
[2] U.S. Department of Justice, North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions, Press Rel., Sept. 6, 2018 https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks.
[3] Complaint, Shields Affidavit, paragr. 13.
[4] For the designations see OFAC North Korea Designations, Sept. 6, 2018 https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20180906_33.aspx..
[5] U.S. Department of Justice, supra.
[6] David Sanger and Katie Banner, U.S. Alleges Economic Attack, Charging North Korean Hacker, N.Y. Times, Sept. 7, 2018, at A1, col. 5.
[7] Id.
[8] Ellen Nakashima and Devlin Barrett, U.S. charges N. Korean in conspiracy to hack Sony, bank, Wash. Post, Sept. 7, 2018, at A10, col. 1.
[9] Affidavit of Nathan P. Shields, Special Agent, FBI, paragr. 4, Complaint.
Leave a Reply