The Justice Department on Thursday unsealed charges against a North Korean coder over a years-long string of destructive cyber attacks and heists, including the 2014 attack on Sony Pictures, and last year’s WannaCry ransomware virus, which infected hundreds of thousands of computers in 150 countries and shut down dozens of emergency rooms in U.K. hospitals.
Park Jin Hyok was charged in a federal criminal complaint in Los Angeles with conspiracy. Park allegedly worked as a programmer for the North Korean company Chosun Expo Joint Venture, described by prosecutors as a long-time front for North Korea’s computer intrusion program, “Lab 110.”
Lab 110 is responsible for “a wide-ranging, multi-year conspiracy to conduct computer intrusions and commit wire fraud by co-conspirators working on behalf of the government of the Democratic People’s Republic of Korea,” reads the complaint. The “conspiracy targeted computers belonging to entertainment companies, financial institutions, defense contractors, and others for the purpose of causing damage, extracting information, and stealing money, among other reasons.”
Park is the only defendant in the case. He’s charged as “a member of the conspiracy behind these cyber-attacks,” and positioned as one in a cadre of professional hackers working for Kim Jong Un’s government, described as proficient in multiple coding languages and in network security. The hacking was allegedly done mostly from within North Korea, though Park also worked out of China.
The case is the first in the U.S. targeting North Korea’s aggressive state-sponsored computer intrusion program, known in computer security circles as the “Lazarus Group,” and long characterized by wanton, gratuitous destruction and outright theft as much as espionage.
The complaint ties Park to virtually all of the Lazarus Group’s greatest hits, beginning with the November 2014 assault on Sony Pictures as retaliation for the studio’s release of a comedy depicting an assassination plot against North Korean leader Kim Jong Un.
Posing as a notional amateur hacking gang called “Guardians of Peace,” the North Korean attackers wiped hundreds of hard drives, leaked Sony’s internal emails and even distributed some of the studio’s unreleased movies on BitTorrent. “We’ve already warned you, and this is just a beginning,” they declared at the time. “We continue till our request be met. We’ve obtained all your internal data including your secrets and top secrets. If you don’t obey us, we’ll release data shown below to the world,” they warned in one message.
In February 2016, the hackers graduated to an attempted $1 billion heist against Bangladesh Bank. Using custom malware and stolen credentials, they initiated 35 SWIFT wire transfer orders from the bank’s holdings at the Federal Reserve Bank of New York. The Fed began processing the orders, which totaled $951 million, but officials grew suspicious after noticing a misspelling in a transfer to Sri Lanka. That transfer was quickly pulled back, and another 30 were blocked entirely. But by then $81 million in stolen funds had gone through to a bank in the Philippines, then onto multiple casino resorts for laundering.
Security experts were able to link the group’s crimes to one another through giveaways in the code and infrastructure. For example, a portion of the Bangladesh malware devoted to wiping out the victim’s hard drive was nearly identical to a custom disk wiper used in the “Dark Seoul” attacks against South Korean banks and broadcasters in 2013. And those attacks shared both code and a command-and-control server with the Sony Pictures hack.
Similar links were eventually found to the WannaCry ransomware outbreak last year, and in December the Trump administration publicly accused North Korea of responsibility for the outbreak.
WannaCry used a leaked NSA exploit to target unpatched Microsoft Windows machines, rapidly infecting them, encrypting everything, and presenting the victim with a multilingual pop-up message demanding a $300 in BitCoin in exchange for the safe return of the files.
The self-spreading internet worm wreaked havoc in Europe and Asia, and triggered life-threatening shutdowns in the U.K.s national health system The attack stalled out only when a U.K.-based malware researcher found a way to trigger a “kill switch” embedded in the code.
A senior Justice Department official said the government chose to file the new charges as a criminal complaint instead of a grand jury indictment so that it could use the 177-page document to lay out the extensive trail of evidence that led them to North Korea’s state-sponsored hackers, and to Park individually.
That evidence includes common email address, aliases or North Korean Internet IP addresses used in multiple operations, and personally by Park and others. In some cases, the webmail addresses used in intrusions were also used by North Korean officials to conduct government business.
As in previous federal charges of Chinese, Russian and Iranian government hackers, there’s little chance of Park ever facing trial.