The Department of Justice has officially charged one member of the North Korean Lazarus Group for his role in the Wannacry attacks, the Sony Pictures breach, theft on the SWIFT banking system and more.
Nathan Shields, special agent for the FBI, filed an affidavit of complaint against the Lazarus Group hacker, Park Jin Hyok, on June 8, 2018, but the charges were made public Sept. 6.
Park was charged with conspiring to commit “unauthorized access to computer and obtaining information, with intent to defraud, and causing damage, and extortion related to computer intrusion” and wire fraud.
“The evidence set forth herein was obtained from multiple sources, including from analyzing compromised victim systems, approximately 100 search warrants for approximately 1,000 email and social media accounts accessed internationally by the subjects of the investigation, dozens of orders issued … and approximately 85 formal requests for evidence to foreign countries and additional requests for evidence and information to foreign investigating agencies,” Shields wrote in the affidavit.
Shields wrote that the affidavit was “made in support of a criminal complaint against, and arrest warrant” for Park, but there is no indication the DoJ knows where Park is currently located. The last mention in the affidavit noted Park returned to North Korea in 2014 after spending three years working for North Korean company Chosun Expo in China.
Although Park was the lone Lazarus Group hacker named in the filing, the entire North Korean team was implicated in the 2014 Sony Pictures breach, the 2016 theft of $81 million from Bangladesh Bank via the SWIFT network, the 2017 Wannacry ransomware attack as well as “numerous other attacks or intrusions on the entertainment, financial services, defense, technology and virtual currency industries, as well as academia and electric utilities.”
“In 2016 and 2017, the conspiracy targeted a number of U.S. defense contractors, including Lockheed Martin, with spear-phishing emails. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea,” the U.S. Attorney’s Office for the Central District of California wrote in its press release. “The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful.”
Confirmation of North Korean involvement
Park is the first Lazarus Group hacker named and officially charged by the U.S. government, but the Lazarus Group and North Korea has been connected to attacks before.
As far back as Dec. 2014, the FBI stated there was enough evidence to conclude that North Korea was behind the attack on Sony Pictures. And, in Dec. 2017 both the U.S. and U.K. governments blamed the Wannacry attacks on North Korea.
The affidavit detailed the use of the Brambul worm, which was malware attributed to the Lazarus Group in a US-CERT security alert issued by the FBI and Department of Homeland Security in May 2018.
However, while the confirmation of North Korean involvement was generally praised by experts, not all were happy that Park was the only Lazarus Group hacker to be named and charged.
People living in North Korea don’t get a choice when the government comes calling. There are countless stories of atrocities where whole families are imprisoned (or worse) for defying the orders of the government. We know what would have happened if Park refused to hack Sony. 2/n
— Jake Williams (@MalwareJake)
September 6, 2018
Jake Williams, founder and CEO of Rendition Infosec, based in Atlanta, wrote on Twitter that it was a “human rights issue” to charge Park because the Lazarus Group hacker “likely had zero choice in his actions.”