The Justice Department has announced the indictment of a North Korean agent for both the theft of data and “wiper” attack on Sony Pictures in 2014 and the worldwide “WannaCry” malware attack of May, 2017. The indictment, initially reported by ABC News and the Washington Post, is the first direct set of charges against an individual associated with the North Korean government.
The individual, identified as Park Jin Hyok, participated in the Sony Pictures attack under orders from the Democratic People’s Republic of Korea’s clandestine military intelligence agency, the Reconnaissance General Bureau, the indictment alleges. The RGB is the agency that oversees “Unit 121” and “Lab 110”, North Korea’s cyber warfare units. Park is charged with conspiracy and conspiracy to commit wire fraud.
According to the indictment, Park, a North Korean computer programmer, worked for Chosun Expo Joint Venture, an alleged North Korean government front company with offices in North Korea and China, since at least 2002. Also known as Korea Expo Joint Venture, Chosun Expo is believed to be connected to the RGB’s Lab 110; while it provides legitimate programming-for-hire services to foreign customers, the company also is alleged to be home to the Lazarus Group. That’s the malware and hacking group that has been previously connected by US intelligence and private sector security researchers to the Sony attack, the theft of $81 million from Bangladesh Bank through the SWIFT system (part of an attempted $1 billion theft), and the WannaCry malware.
The indictment alleges that Park took part in these attacks, as well as attacks on US defense contractors, university faculty, technology companies, virtual currency exchanges, and US electric utilities. The indictment alleges Park attempted financial institution attacks over the past four years, too.
Chosun Expo has also been deemed to be behind denial-of-service attacks against the government, banks, and media companies in South Korea. “In sum, the scope and damage of the computer intrusions perpetrated, and caused by the subjects of this investigation, including PARK, is virtually unparalleled,” said FBI Special Agent Nathan Shields in an affidavit filed in June.
Park was specifically linked to the attacks through email accounts at Chosun Expo under his own name, and these accounts were used to create social media accounts and to subscribe to services used in the attacks. “Despite efforts to conceal his identity and the subjects’ efforts to isolate the Chosun Expo Accounts from operational accounts that they used with aliases to carry on their hacking operations,” the FBI affidavit states, “there are numerous connections between these sets of accounts. Some of the operational accounts were used in the name ‘Kim Hyon Woo’ (or variations of that name), an alias that the subjects used in connection with the targeting of and cyber-attacks on SPE, Bangladesh Bank, and other victims.”
The name “Kim Hyon Woo” was used for a number of email and social media accounts, and it was surmised by investigators to be a cover name used by multiple members of the group to conceal their activities. Activity from Park’s real-name Chosun Expo account and many of the accounts tied to Lazarus Group activity originated from the same Internet addresses in North Korea.
The new affidavit also includes details into the methods used in the Sony Pictures attack, including spear phishing messages sent to Sony Pictures employees and “actors and other personnel associated with the movie The Interview,” starting in September of 2014. Ars hopes to analyze the technical details in-depth in a follow-on report.