The US Department of Justice (DoJ) has indicted a 34 year-old North Korean hacker for his involvement in cyberattacks around the world. Park Jin Hyok is alleged to have been part of a government-sponsored hacking team called the Lazarus Group.
Park is accused of taking part in: “a conspiracy to conduct multiple destructive cyberattacks around the world resulting in damage to massive amounts of computer hardware, and the extensive loss of data, money and other resources (the “Conspiracy”).”
In addition to his involvement in the Lazarus Group, Park also worked for a North Korean government front company. The indictment names that company as Chosun Expo Joint Venture (KEJV). The DoJ claims that KEJV supported the “DPRK government’s malicious cyber actions”
The DoJ says: “The Conspiracy’s malicious activities include the creation of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment (SPE); and numerous other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.”
FBI Director Christopher Wray said: “Today’s announcement demonstrates the FBI’s unceasing commitment to unmasking and stopping the malicious actors and countries behind the world’s cyberattacks. We stand with our partners to name the North Korean government as the force behind this destructive global cyber campaign.”
Another success for global law enforcement agencies
This is another success brought about by international cooperation around cyberattacks. Over the last two years technology vendors and security providers have helped law enforcement take down dozens of cybercrime networks.
In this case the FBI led the investigation into attacks against US targets such as Sony Pictures and US defense contractors. It had named North Korea as a sponsor in these attacks and others including the attack against the Bangladesh National Bank. That attack was just one in a string of similar attacks that targeted SWIFT terminals.
As the hackers expanded their attacks to targets in other countries it pulled in more law enforcement and security agencies. In some cases the FBI provided technical assistance to those countries. In others, such as the WannaCry attack in the UK, it was given critical evidence by its partners.
Those involved in the investigation included the UK National Crime Agency (NCA), Europol and the National Cyber Security Centre (NCSC). Links between WannaCry and the FBI investigation were uncovered by the NCAs National Cyber Crime Unit (NCCU).
A wider Conspiracy than first thought
The indictment provides some interesting details about Park and KEJV. Park has been a programmer for KEJV for over a decade. As well as working on projects for the DPRK it is alleged that he and the Lazarus Group worked for other paying clients. There is no information given on who they are.
In addition to links between KEJV and Lab 110, part of the DPRK military intelligence, it also maintained offices in China. China has been playing an increasingly important role in the cyber usage of North Korea.
Earlier this year the Insikt Group disclosed how North Korea’s elite had begun to make increasing use of Chinese Internet services. One of the reasons given for this shift was to avoid scrutiny from Western intelligence services. This may explain why the KEJV set up its own offices in China.
What does this mean
It has taken an inordinately long time for the FBI to finally bring an indictment against an individual for the Sony Pictures hack. It has also been two years since the Bangladesh Central Bank was attacked. Since then, a number of other banks have suffered attacks in the same way. None of those banks are named as victims in this indictment which is a surprise.
The FBI and other law enforcement and intelligence services will now be looking for connections between Park, KEJV and other attacks. It is known that North Korea has sent attackers overseas to disguise its attacks. In the last 18 months, many of the attacks against cryptocurrency exchanges have been blamed on amorphous North Korean hackers. This indictment may well end up being the start of several as contacts of Park’s are identified.
The most important thing here is that several high profile attacks are being cleared up in one go. It is likely that the FBI would have preferred to have Park in custody before making this attack. That may still be the case and this indictment is the first step to an extradition.
For now, there will be some celebrating among all those agencies involved before they get back to work trying to identify Park’s wider network.