U.S. charges North Korean programmer for WannaCry, Sony hack

The U.S. government has levied criminal and economic sanctions against a North Korean programmer and company accused of having a central role carrying out the 2014 Sony hack, the 2017 WannaCry attacks and the 2016 theft of $81 million from the Bank of Bangladesh.

The Department of Justice announced that it was charging North Korean national Park Jin Hyok and the company he worked for, Korea Expo Joint Venture, with multiple counts of conspiracy, wire fraud and violating the Computer Fraud and Abuse Act related to the three attacks. Park and the company are accused of being part of The Lazarus Group, an advanced persistent threat hacking group associated with the North Korean government. 

Speaking at a press briefing announcing the charges, Department of Justice Assistant Attorney General John Demers said the investigation against Park and his company represented one of the longest and most complex cybercrime investigations the department has undertaken, stitching together evidence gleaned from more than 100 search warrants, 85 requests to foreign governments spanning three major global cyberattacks over five years.

The Treasury Department also announced economic sanctions against Park and the company he worked for on Sept. 6.

With the actions against Park and his company, DOJ has now imposed significant criminal and economic penalties on the four nations (China, Russia, Iran and North Korea) that U.S. officials have repeatedly blamed for wreaking havoc in the digital domain with destructive, state-sponsored cyberattacks.

"These activities run afoul of norms of acceptable state behavior in cyberspace and the international community must address them when we can," said Demers. "The charges reflect the department's determination and ability to follow the facts and the law and hold individuals and nations accountable for their crimes."

According to the criminal complaint, U.S. investigators found that in many cases, the attacks were carried out using the same computers, devices, email addresses, social media accounts, aliases, IP addresses and proxy servers. Additionally, investigators noticed that the malware employed across many of the attacks shared technical and functional commonalities that indicated they were carried out by the same group.

While Park is the only individual named, the complaint alleges that the attacks were sponsored by the North Korean government and stressed that other unnamed individuals and parties were involved in helping him carry out the acts. According to the complaint, Park was an employee of Korea Expo Joint Venture, a company based out of China but which acted as a front for North Korean cyber operations. He and others first monitored their victims over internet and social media to use later in targeted spearphishing attacks to gain access credentials.

U.S. officials and cyber intelligence firms had already formally attributed the 2014 Sony hack and Bank of Bangladesh heist, as well as the 2017 WannaCry attacks, to the North Korean government. Justice officials would not say what prompted them to bring charges now, saying only that the department does so when evidence and the law allows it. They also said the investigation remains ongoing into 2018, and the complaint alleges that Park and others have targeted and continue to target U.S. defense contractors, universities, technology companies, cryptocurrency exchanges and U.S. electric utilities.

Ben Read, senior manager for cyber espionage analysis at FireEye, which assisted the government’s investigation by analyzing malware samples, said the activities and technical information described in the criminal complaint are consistent with the company's understanding of how the Lazarus Group operates, particularly the reliance on shared development resources and a keen interest in financially motivated operations.

"We definitely see the activities described here for the most part continuing through 2018 and even fairly recently as well," Read told FCW. "We’ve continued to see both the really heavy emphasis on financially motivated stuff … and also some of the targeting of cryptocurrency exchanges and users. We do believe the North Korean government is using these capabilities to try to get access to money, because they are still under heavy international sanctions."

Read said that while he was reluctant to try to guess how the notoriously unpredictable North Korean government might react to the charges, he noted that previous sanctions applied to the country in response to the 2014 Sony hack "did not seem to have a significant effect on their cyber program."

A Justice official speaking on background said North Korean government had not communicated or expressed any openness to extraditing Park or other individuals associated with the crimes. U.S. officials often argue that even if the parties never stand trial, the criminal and economic sanctions limit their ability to travel and conduct business outside of their host countries. However, North Korea already tightly restricts travel in and out of its borders, and previously existing sanctions against the country limit its members from engaging in business internationally.