LOS ANGELES – A criminal complaint made public today charges a North Korean citizen for his involvement in a conspiracy to conduct a series of destructive cyberattacks around the world, which resulted in damage to massive amounts of computer hardware and extensive loss of data, money and other resources.
The complaint alleges that Park Jin Hyok (박진혁) was a member of a hacking team sponsored by the Democratic People's Republic of Korea and known to the private sector as the “Lazarus Group.” Park allegedly worked for a North Korean government front company, Chosun Expo Joint Venture, which was also known as Korea Expo Joint Venture, or KEJV, to support the DPRK government's malicious cyber actions.
The conspiracy's malicious activities included the creation of the malware used in the 2017 WannaCry ransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment; and numerous other attacks or intrusions on the entertainment, financial services, defense, technology and virtual currency industries, as well as academia and electric utilities.
“The complaint charges members of this North Korean-based conspiracy with being responsible for cyberattacks that caused unprecedented economic damage and disruption to businesses in the United States and around the globe,” said First Assistant United States Attorney Tracy Wilkison. “The scope of this scheme was exposed through the diligent efforts of FBI agents and federal prosecutors who were able to unmask these sophisticated crimes through sophisticated means. They traced the attacks back to the source and mapped their commonalities, including similarities among the various programs used to infect networks across the globe. These charges send a message that we will track down malicious actors no matter how or where they hide. We will continue to pursue justice for those responsible for the huge monetary losses and attempting to compromise the national security of the United States.”
“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said Assistant Attorney General for National Security John C. Demers. “The complaint alleges that the North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech in order to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars' worth of damage. The investigation, prosecution, and other disruption of malicious state-sponsored cyber activity remains among the highest priorities of the National Security Division and I thank the FBI agents, DOJ prosecutors, and international partners who have put years of effort into this investigation.”
“This complaint exposes a vast and audacious scheme by the North Korean government to utilize computer intrusions as a means to support the varied goals of their regime,” said Paul Delacourt, the Assistant Director in Charge of the FBI's Los Angeles Field Office. “From computer network attacks on private entertainment companies and financial institutions, to the development of malware which crippled thousands of victims' computer systems, North Korean cyber aggressions were pursued – and revealed – thanks to the thorough technical and collaborative work of Los Angeles-based FBI agents, computer scientists, federal prosecutors and intelligence analysts. The criminal complaint details key findings of a complex, multi-year investigation based on evidence collected within the U.S. and internationally.”
According to the allegations contained in the criminal complaint, which was filed on June 8 in United States District Court in Los Angeles and made public today, Park was a computer programmer who worked for over a decade for KEJV. The company had offices in China and the DPRK, and is affiliated with Lab 110, a component of DPRK military intelligence. In addition to the programming done by Park and his group for paying clients around the world, the conspiracy also engaged in malicious cyber activities. Security researchers that have independently investigated these activities referred to this hacking team as the “Lazarus Group.” The conspiracy's methods included spear-phishing campaigns, destructive malware attacks, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and propagating “worm” viruses to create botnets.
The complaint describes a broad array of malicious cyber activities, both successful and unsuccessful, in the United States and abroad, with a particular focus on four specific examples.
Targeting the Entertainment Industry
In November 2014, the conspirators launched a destructive attack on Sony Pictures Entertainment (SPE) in retaliation for the movie “The Interview,” a comedy that depicted the assassination of the DPRK's leader. The conspirators gained access to SPE's network by sending malware to SPE employees, and then stole confidential data, threatened SPE executives and employees, and damaged thousands of computers.
Around the same time, the group sent spear-phishing messages to other victims in the entertainment industry, including a movie theater chain and a U.K. company that was producing a fictional series involving a British nuclear scientist taken prisoner in DPRK.
Targeting Financial Services
In February 2016, the conspiracy stole $81 million from Bangladesh Bank. As part of the cyberheist, the conspiracy accessed the bank's computer terminals that interfaced with the Society for Worldwide Interbank Financial Telecommunication (SWIFT) communication system after compromising the bank's computer network with spear-phishing emails, then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of New York to transfer funds from Bangladesh to accounts in other Asian countries. The conspiracy attempted to and did gain access to several other banks in various countries from 2015 through 2018 using similar methods and “watering hole attacks,” attempting the theft of at least $1 billion through such operations.
Targeting of U.S. Defense Contractors
In 2016 and 2017, the conspiracy targeted a number of U.S. defense contractors, including Lockheed Martin, with spear-phishing emails. These malicious emails used some of the same aliases and accounts seen in the SPE attack, at times accessed from North Korean IP addresses, and contained malware with the same distinct data table found in the malware used against SPE and certain banks, the complaint alleges. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea. The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful.
Creation of Wannacry
In May 2017, a ransomware known as WannaCry 2.0 infected hundreds of thousands of computers around the world, causing extensive damage, including significantly impacting the United Kingdom's National Health Service. The conspiracy is connected to the development of WannaCry 2.0, as well as two prior versions of the ransomware, through similarities in form and function to other malware developed by the hackers, and by spreading versions of the ransomware through the same infrastructure used in other cyber-attacks.
Park and his co-conspirators were linked to these attacks, intrusions, and other malicious cyber-enabled activities through a thorough investigation that identified and traced email and social media accounts that connect to each other and were used to send spear-phishing messages; aliases, malware “collector accounts” used to store stolen credentials; common malware code libraries; proxy services used to mask locations; and North Korean, Chinese and other IP addresses. Some of this malicious infrastructure was used across multiple instances of the malicious activities described in the complaint. Taken together, these connections and signatures – revealed in charts attached to the criminal complaint – show that the attacks and intrusions were perpetrated by the same actors.
Accompanying Mitigation Efforts
Throughout the course of the investigation, the FBI and the Justice Department provided specific information to victims about how they had been targeted or compromised, as well as information about the tactics and techniques used by the conspiracy with the goals of remediating any intrusion and preventing future intrusions. That direct sharing of information took place in the United States and in foreign countries, often with the assistance of foreign law enforcement partners. The FBI also has collaborated with certain private cybersecurity companies by sharing and analyzing information about the intrusion patterns used by the members of the conspiracy. In connection with the unsealing of the criminal complaint, the FBI and prosecutors provided cybersecurity providers and other private sector partners detailed information on accounts used by the conspiracy in order to assist these partners in their own independent investigative activities and disruption efforts.
Park is charged with one count of conspiracy to commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison. The maximum potential sentences in this case are prescribed by Congress and are provided here for informational purposes only, as any sentencings of the defendant will be determined by the assigned judge.
The charges contained in the criminal complaint are merely accusations and the defendant is presumed innocent unless and until proven guilty.
In addition to the criminal charges, the Department of the Treasury's Office of Foreign Assets Control (OFAC) today designated Park and KEJV under Executive Order 13722 based on the malicious cyber and cyber-enabled activity outlined in the criminal complaint.