{"id":723,"date":"2018-09-14T20:46:49","date_gmt":"2018-09-14T20:46:49","guid":{"rendered":"http:\/\/ielrblog.com\/?post_type=article&#038;p=723"},"modified":"2018-09-14T20:46:49","modified_gmt":"2018-09-14T20:46:49","slug":"u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions","status":"publish","type":"article","link":"https:\/\/ielrblog.com\/index.php\/article\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\/","title":{"rendered":"U.S. Unseals Criminal Complaint against N. Korean Programmer for Cyber Attacks and Intrusions"},"content":{"rendered":"<p>On September 6, 2018, the U.S. government announced the unsealing of a 179-page criminal complaint filed in the U.S. District Court Central District of California (Los Angeles)<a href=\"#_ftn1\" name=\"_ftnref1\">[1]<\/a> charging Park Jin Hyok (aka Jin Hyok Park and Pak Jin Hek), a North Korean citizen, for his participation in a conspiracy to conduct multiple destructive cyberattacks around the world resulting in damage to massive amounts of computer hardware, and the significant loss of data, money and other resources.<a href=\"#_ftn2\" name=\"_ftnref2\">[2]<\/a><\/p>\n<p>According to the complaint Park participated in a government-sponsored hacking team known as the \u201cLazarus Group\u201d\u2019 and worked for a North Korean government front company, Chosun Expo Joint Venture (aka Korea Expo Joint Venture or \u201cKEJV\u201d), to support the DPRK government\u2019s malicious cyber actions.\u00a0 Lazarus Group is the name that private security researchers (including Symantec, Novetta, and BAE) have given to the set of hackers who perpetrated the attacks on SPE, Bangladesh Bank, and other entities.<a href=\"#_ftn3\" name=\"_ftnref3\">[3]<\/a><\/p>\n<p>The conspiracy\u2019s malicious activities include the establishment of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment (SPE); and various other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.<\/p>\n<p>Simultaneously, Treasury Secretary Steven Mnuchin announced that the Treasury\u2019s Office of Foreign Assets Control (OFAC) designated Park and KEJV under Executive Order 13722 based on the malicious cyber and cyber-enabled activity alleged in the criminal complaint.<a href=\"#_ftn4\" name=\"_ftnref4\">[4]<\/a><\/p>\n<p>The complaint charges Park with one count of conspiracy to commit computer fraud and abuse, for which there is a maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud, for which there is a maximum sentence of 20 years in prison.<\/p>\n<p>Park was a computer programmer and worked for more than a decade for KEJV, which had offices in China and N. Korea.\u00a0 It is affiliated with Lab 110, a part of the N. Korean military intelligence.\u00a0 The conspiracy also engaged in malicious cyber activities, utilizing spear-phishing campaigns, destructive malware attacks, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and propagating \u201cworm\u201d viruses to create botnets.<\/p>\n<p>The complaint describes several of the conspiracy\u2019s alleged malicious cyber activities, both successful and unsuccessful, and in the U.S. and abroad, focusing in particular on four specific examples.<\/p>\n<p><em>Attacks against Sony Pictures Entertainment (SPE)<\/em><\/p>\n<p>In November 2014, the destructive attack on Sony Pictures Entertainment (SPE) in retaliation for the movie \u201cThe Interview\u201d, a farcical comedy that depicted the assassination of the North Korean leader.\u00a0 The conspirators obtained access to SPE\u2019s network by sending malware to SPE employees, and then stole confidential data, threatened SPE executives and employees, and damaged thousands of computers.\u00a0 The group also sent spear-phishing messages to other victims in the entertainment industry, including a movie theater chain and a U.K. company that was producing a fictional series involving a British nuclear scientist taken prisoner in North Korea.<\/p>\n<p><em>Attacks against Bangladesh and Other Banks<\/em><\/p>\n<p>In February 2016 \u00a0the conspiracy stole $81 million from Bangladesh Bank, accessing the bank\u2019s computer terminals that interfaced with the SWIFT communication system\u00a0 and then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of NY to transfer funds from Bangladesh\u00a0 to accounts in other Asian countries.\u00a0 The conspiracy obtained access to several other banks in various countries from 2015 through 2018 using similar methods and \u201cwatering hole attacks,\u201d attempting the theft of at least $1 billion through such operations.<\/p>\n<p><em>Attaching U.S. Defense Contractors<\/em><\/p>\n<p>In 2016 and 2017, the conspiracy targeted various U.S. defense contractors, including Lockheed Martin, with spear-phishing emails.\u00a0 These emails used some of the same aliases and accounts seen in the SPE attack, at times accessed from North Korean IP addresses, and had malware with the same distinct data table found in the malware used against SPE and certain banks.\u00a0 The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea.\u00a0 The efforts to infiltrate the computer systems of Lockheed Marti, the prime contractor for the THHAD missile system, were not successful.<\/p>\n<p><em>Wannacry 2.0<\/em><\/p>\n<p>In May 2017, a ransomware attack known as WannaCry 2.0 infected hundreds of thousands of computers around the work, causing extensive damage, including significantly impacting the UK\u2019s National Health Service.\u00a0 The conspiracy is connected to the development of WannaCry 2.0, as well as two prior versions of the ransomware, through similarities in form and function to other malware employed by the hackers, and by spreading versions of the ransomware through the same infrastructure used in other cyber-attacks.<\/p>\n<p>Investigators identified Park and his co-conspirators through a thorough investigation that identified and traced: email and social media accounts that connect to each other and were used to send spear-phishing messages; aliases, malware \u201ccollector accounts\u201d used to store stolen credentials; common malware code libraries; proxy services used to mask locations; and North Korean, Chinese, and other IP addresses.\u00a0 The connections and signatures set forth in charts attached to the criminal complaint show that the attacks and intrusions were done by the same actors.<\/p>\n<p>In connection with the unsealing of the criminal complaint, the FBI and prosecutors furnished cybersecurity providers and other private sector partners detailed information on accounts used by the conspiracy in order to help these partners in their own independent investigative activities and disruptive efforts.<a href=\"#_ftn5\" name=\"_ftnref5\">[5]<\/a><\/p>\n<p>The complaint provides the most specific public accounting of North Korea\u2019s cyberattacks around the world.\u00a0 The combination of indictment and OFAC sanctions has been a chief means by which the U.S. punishes cyber-attacks.\u00a0 It has used these mechanisms against Chinese and Russian hackers.<\/p>\n<p>The North Korean cyber-attacks apparently were motivated by several goals, especially by the need by North Korea for funds, since it has long been isolated and subject to sanctions.\u00a0 The cyber-attacks against Sony were in retaliation for the farcical comedy on Kim Jung-on.\u00a0 The targeting of U.S. defense contracts apparently was motivated by a desire to control U.S. corporate behavior.\u00a0 WannaCry seemed to attempt to bring chaos to the West.<a href=\"#_ftn6\" name=\"_ftnref6\">[6]<\/a><\/p>\n<p>The Obama Administration conducted cyber-attacks on North Korea\u2019s missile program, months before the cyber-attack on Sony.<a href=\"#_ftn7\" name=\"_ftnref7\">[7]<\/a><\/p>\n<p>According to the affidavit from an FBI agent featured in the Complaint, the Mandiant cybersecurity firm assisted in the investigations. \u00a0The complaint has many technical details describing the attacks and linking the techniques to the Lazarus Group.\u00a0 The complaint has email and alias email accounts allegedly used by Park that were linked to cyberattacks on Sony and other victims.<\/p>\n<p>As in the U.S. indictments against the Chinese and Russian hackers, incorporating detail provides credibility to the charges and helps show the world that U.S. law enforcement can identify nation-state.<a href=\"#_ftn8\" name=\"_ftnref8\">[8]<\/a><\/p>\n<p>The evidence in the Complaint was obtained from multiple sources, including from analyzing compromised victim systems, approximately 100 search warrants for approximately 1,000 email and social media accounts accessed internationally by the subjects of the investigation, dozens of orders issued pursuant to 18 U.S.C. \u00a7\u00a7 2703(d) and 3123, and approximately 85 formal requests for evidence to foreign countries and additional requests for evidence and information to foreign investigating agencies. Many of those records were obtained from providers of email, social media, or other online or communication services.<a href=\"#_ftn9\" name=\"_ftnref9\">[9]<\/a><\/p>\n<p>Interestingly, for now the complaint only names Park as a defendant although the complaint alleges he worked as a part of a team.\u00a0 It is quite likely that a future complaint or indictment will name and charge some of the co-conspirators.<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\">[1]<\/a>\u00a0\u00a0\u00a0 United States v. Park Jin Hyok, U.S. District Court C.D.Ca., MJ 18-1479, Criminal Complaint, June 8, 2018 <a href=\"https:\/\/www.justice.gov\/opa\/press-release\/file\/1092091\/download\">https:\/\/www.justice.gov\/opa\/press-release\/file\/1092091\/download<\/a>.<\/p>\n<p><a href=\"#_ftnref2\" name=\"_ftn2\">[2]<\/a>\u00a0\u00a0\u00a0 U.S. Department of Justice, North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions, Press Rel., Sept. 6, 2018 <a href=\"https:\/\/www.justice.gov\/opa\/pr\/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks\">https:\/\/www.justice.gov\/opa\/pr\/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks<\/a>.<\/p>\n<p><a href=\"#_ftnref3\" name=\"_ftn3\">[3]<\/a>\u00a0\u00a0\u00a0 Complaint, Shields\u00a0 Affidavit, paragr. 13.<\/p>\n<p><a href=\"#_ftnref4\" name=\"_ftn4\">[4]<\/a>\u00a0\u00a0 For the designations see OFAC North Korea Designations, Sept. 6, 2018 <a href=\"https:\/\/www.treasury.gov\/resource-center\/sanctions\/OFAC-Enforcement\/Pages\/20180906_33.aspx\">https:\/\/www.treasury.gov\/resource-center\/sanctions\/OFAC-Enforcement\/Pages\/20180906_33.aspx<\/a>..<\/p>\n<p><a href=\"#_ftnref5\" name=\"_ftn5\">[5]<\/a>\u00a0\u00a0\u00a0 U.S. Department of Justice, <em>supra.<\/em><\/p>\n<p><a href=\"#_ftnref6\" name=\"_ftn6\">[6]<\/a>\u00a0\u00a0\u00a0 David Sanger and Katie Banner, <em>U.S. Alleges Economic Attack, Charging North Korean Hacker<\/em>, N.Y. Times, Sept. 7, 2018, at A1, col. 5.<\/p>\n<p><a href=\"#_ftnref7\" name=\"_ftn7\">[7]<\/a>\u00a0\u00a0 \u00a0<em>Id.<\/em><\/p>\n<p><a href=\"#_ftnref8\" name=\"_ftn8\">[8]<\/a>\u00a0\u00a0\u00a0 Ellen Nakashima and Devlin Barrett<em>, U.S. charges N. Korean in conspiracy to hack Sony, bank<\/em>, Wash. Post, Sept. 7, 2018, at A10, col. 1.<\/p>\n<p><a href=\"#_ftnref9\" name=\"_ftn9\">[9]<\/a>\u00a0\u00a0\u00a0 Affidavit of\u00a0 Nathan P. Shields, Special Agent, FBI, paragr. 4, Complaint.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On September 6, 2018, the U.S. government announced the unsealing of a 179-page criminal complaint filed in the U.S. District Court Central District of California (Los Angeles)[1] charging Park Jin Hyok (aka Jin Hyok Park and Pak Jin Hek), a North Korean citizen, for his participation in a conspiracy to conduct multiple destructive cyberattacks around [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"open","template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","jetpack_post_was_ever_published":false,"footnotes":""},"categories":[45],"tags":[],"issuem_issue":[54],"class_list":{"0":"post-723","1":"article","2":"type-article","3":"status-publish","4":"format-standard","6":"category-cybercrime-and-cryptocurrency","7":"issuem_issue-volume-34-issue-9","8":"entry"},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>U.S. Unseals Criminal Complaint against N. Korean Programmer for Cyber Attacks and Intrusions | IELR Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/ielrblog.com\/index.php\/article\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"U.S. Unseals Criminal Complaint against N. Korean Programmer for Cyber Attacks and Intrusions | IELR Blog\" \/>\n<meta property=\"og:description\" content=\"On September 6, 2018, the U.S. government announced the unsealing of a 179-page criminal complaint filed in the U.S. District Court Central District of California (Los Angeles)[1] charging Park Jin Hyok (aka Jin Hyok Park and Pak Jin Hek), a North Korean citizen, for his participation in a conspiracy to conduct multiple destructive cyberattacks around [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/ielrblog.com\/index.php\/article\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\/\" \/>\n<meta property=\"og:site_name\" content=\"IELR Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/m.facebook.com\/intlenforcementlawreporter\/?ref=bookmarks\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ielr\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/article\\\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\\\/\",\"url\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/article\\\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\\\/\",\"name\":\"U.S. Unseals Criminal Complaint against N. Korean Programmer for Cyber Attacks and Intrusions | IELR Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/ielrblog.com\\\/#website\"},\"datePublished\":\"2018-09-14T20:46:49+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/article\\\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/article\\\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/article\\\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/ielrblog.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Articles\",\"item\":\"https:\\\/\\\/ielrblog.com\\\/index.php\\\/article\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"U.S. Unseals Criminal Complaint against N. Korean Programmer for Cyber Attacks and Intrusions\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/ielrblog.com\\\/#website\",\"url\":\"https:\\\/\\\/ielrblog.com\\\/\",\"name\":\"IELR Blog\",\"description\":\"Official Blog of the International Enforcement Law Reporter\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/ielrblog.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"U.S. Unseals Criminal Complaint against N. Korean Programmer for Cyber Attacks and Intrusions | IELR Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/ielrblog.com\/index.php\/article\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\/","og_locale":"en_US","og_type":"article","og_title":"U.S. Unseals Criminal Complaint against N. Korean Programmer for Cyber Attacks and Intrusions | IELR Blog","og_description":"On September 6, 2018, the U.S. government announced the unsealing of a 179-page criminal complaint filed in the U.S. District Court Central District of California (Los Angeles)[1] charging Park Jin Hyok (aka Jin Hyok Park and Pak Jin Hek), a North Korean citizen, for his participation in a conspiracy to conduct multiple destructive cyberattacks around [&hellip;]","og_url":"https:\/\/ielrblog.com\/index.php\/article\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\/","og_site_name":"IELR Blog","article_publisher":"https:\/\/m.facebook.com\/intlenforcementlawreporter\/?ref=bookmarks","twitter_card":"summary_large_image","twitter_site":"@ielr","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/ielrblog.com\/index.php\/article\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\/","url":"https:\/\/ielrblog.com\/index.php\/article\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\/","name":"U.S. Unseals Criminal Complaint against N. Korean Programmer for Cyber Attacks and Intrusions | IELR Blog","isPartOf":{"@id":"https:\/\/ielrblog.com\/#website"},"datePublished":"2018-09-14T20:46:49+00:00","breadcrumb":{"@id":"https:\/\/ielrblog.com\/index.php\/article\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/ielrblog.com\/index.php\/article\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/ielrblog.com\/index.php\/article\/u-s-unseals-criminal-complaint-against-n-korean-programmer-for-cyber-attacks-and-intrusions\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/ielrblog.com\/"},{"@type":"ListItem","position":2,"name":"Articles","item":"https:\/\/ielrblog.com\/index.php\/article\/"},{"@type":"ListItem","position":3,"name":"U.S. Unseals Criminal Complaint against N. Korean Programmer for Cyber Attacks and Intrusions"}]},{"@type":"WebSite","@id":"https:\/\/ielrblog.com\/#website","url":"https:\/\/ielrblog.com\/","name":"IELR Blog","description":"Official Blog of the International Enforcement Law Reporter","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/ielrblog.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/article\/723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/article"}],"about":[{"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/types\/article"}],"author":[{"embeddable":true,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=723"}],"version-history":[{"count":1,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/article\/723\/revisions"}],"predecessor-version":[{"id":724,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/article\/723\/revisions\/724"}],"wp:attachment":[{"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=723"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=723"},{"taxonomy":"issuem_issue","embeddable":true,"href":"https:\/\/ielrblog.com\/index.php\/wp-json\/wp\/v2\/issuem_issue?post=723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}