U.S. Ties Lazarus to North Korea and Major Hacking Conspiracy

The DoJ said a DPRK spy, Park Jin-hyok, was involved in “a conspiracy to conduct multiple destructive cyberattacks around the world.”

The Justice Department has charged a North Korean man in the hacking of Sony Pictures Entertainment (SPE) in 2014 – as well as the global WannaCry attack last year that caused millions of dollars of economic damage and also charged him with the costly 2016 SWIFT attack on the Bangladesh central bank.

The DoJ said in its 179-page complaint that the suspect, Park Jin-hyok, was involved in “a conspiracy to conduct multiple destructive cyberattacks around the world” as a member of the Lazarus Group, a well-known APT actor. Though researchers have suspected the APT to be an extension of the North Korean government for many years – it first appeared in 2010 – this is the first time the U.S. government has fully weighed in on attribution.

The complaint alleges that the North Korean government, through the instrument of the Lazarus Group, robbed the Bangladeshi central bank of $81 million; hacked SPE in retaliation for the film The Interview, which featured a parody of DPRK leader Kim Jon-Un (the DoJ said the move was “against free speech in order to chill it half a world away”; and authored the WannaCry ransomware that impacted victims in more than 150 countries, including Britain’s National Health Service, shipping giant Maersk, Boeing, Telefonica and many others.

The complaint also alleges that in 2016 and 2017, this conspiracy targeted a number of U.S. defense contractors, including Lockheed Martin, with spear-phishing emails with intent to steal nation-state secrets.

“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber-norms accepted by responsible nations,” said Assistant Attorney General Demers, in the DoJ’s announcement. “The investigation, prosecution and other disruption of malicious state-sponsored cyber activity remains among the highest priorities of the National Security Division and I thank the FBI agents, DOJ prosecutors, and international partners who have put years of effort into this investigation.”

For his part, Park is suspected of working for North Korea’s equivalent of the CIA, known as the Reconnaissance General Bureau. He was charged with computer fraud and wire fraud, which carry five-year and 20-year maximum sentences, respectively. Park is not however likely to see a jail cell: the U.S. , as one might expect, has no extradition treaties with North Korea.

Also Thursday, the Treasury Department announced that it has added Park’s name to its sanctions list, along with a company he’s known to be affiliated with (Chosun Expo Joint Venture, or K.E.J.V.) This prevents Park or K.E.J.V. from doing business with any bank or financial institution based in the U.S.

“We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” said Treasury Secretary Steven Mnuchin.

A Litany of Woes

The activities are some of the largest cyber-stories of the last few years, and taken together make up a complex web of economic sabotage.

About 437,000 people were affected by the 2014 hack on SPE, which saw the attackers break into company computers and release thousands of emails, documents and sensitive personal information to WikiLeaks. WikiLeaks went on to release about 170,000 emails, including mails containing racially tinged comments from studio head Amy Pascal—who stepped down in the aftermath—and producer Scott Rudin.

It also spilled Hollywood dirt; Rudin also called Angelina Jolie a “minimally talented spoiled brat” in an email as the two discussed an upcoming Cleopatra project. “She’s studying films” he said. “Kill me now.”

Sony in 2015 said that the cost for dealing with the breach totaled $15 million for the quarter in which it occurred, which it reported in February of that year.

Meanwhile, in 2016 the attackers exploited a poorly configured network switch at the Bangladeshi central bank, which left its firewall unguarded and opened the door to hackers stealing credentials allowing them to make payment transfers. They then set about stealing $81 million via the SWIFT payment platform via a series of transfer requests with the New York Federal Reserve Bank over the course of a weekend in early February of that year.

There were three dozen requests. The New York Fed processed four of them, shifting money into accounts in the Philippines. The heist would have totaled $1 billion or more if a spelling mistake in the routing instructions hadn’t raised the alarm. Other SWIFT attacks have followed this event, which kicked off a brand-new attack type for the cybercrime world.

Then there was WannaCry. The ransomware become a global news sensation as scores of major companies fell victim to it; the first reports involved Spanish telecommunications giant Telefonica, but it soon became clear that the attack affected hundreds of thousands of computers worldwide.

WannaCry demanded a ransom of $300 in Bitcoin, which doubled if not paid within three days. It spread using the “EternalBlue” exploit published by the ShadowBrokers threat group as part of their trove of stolen NSA hacking tools. While the global viral infection was killed thanks to a hard-coded kill switch in the malware, variants of WannaCry remain a ransomware scourge to this day.

As for the defense contractor spear-phishing attacks, which haven’t been very well publicized, the DoJ explained:

These malicious emails used some of the same aliases and accounts seen in the SPE attack, at times accessed from North Korean IP addresses, and contained malware with the same distinct data table found in the malware used against SPE and certain banks, the complaint alleges. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea. The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful.

In all, the official linking of the Lazarus Group to North Korea and all of these activities is significant and the real point of the DoJ making the charges against Park – as it paints a wide-ranging conspiracy behind a latticework of massively damaging attacks.

“We stand with our partners to name the North Korean government as the force behind this destructive global cyber campaign,” said FBI Director Christopher Wray. “This group’s actions are particularly egregious as they targeted public and private industries worldwide – stealing millions of dollars, threatening to suppress free speech, and crippling hospital systems. We’ll continue to identify and illuminate those responsible for malicious cyberattacks and intrusions, no matter who or where they are.”

Suggested articles