A North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the notorious Lazarus Group.
Park Jin Hyok, 34, has been charged with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud. The FBI has added him to its Cyber Most Wanted list and the U.S. Department of Treasury announced sanctions against Park and the North Korean company he worked for.
The criminal complaint made public on Thursday focuses on four of the hacker group’s operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of U.S. defense contractors in 2016 and 2017.
Investigators have found several links between Park, the Lazarus Group and Chosun Expo Joint Venture, also known as Korea Expo Joint Venture (KEJV), a North Korean government front company allegedly used to support its cyber activities.
Industry professionals have commented on various aspects of the story, including Lazarus Group’s ongoing activities and the impact of the charges brought against Park.
And the feedback begins…
Ed McAndrew, Partner & Co-Chair, Privacy & Data Security Group at Ballard Spahr:
“Why today? Even with the benefit of having served as a federal cybercrime prosecutor for almost 10 years, I’m struggling to understand why the DOJ unsealed this complaint today. There is no imminent activity, law enforcement or otherwise, that supports the unsealing right now. It seems intended only to “name and shame” Hyok and the North Korean Government, for actions that the US Government has already publicly attributed to North Korea.
Why a complaint, instead of a grand jury indictment? The manner of charging Hyok is odd. This is a criminal complaint; not an indictment. Complaints are used to charge people quickly when they have been arrested or are facing imminent arrest. Generally, the DOJ has been using “name and shame” indictments against cybercrime agents of foreign governments. Because Mr. Hyok has not been arrested and is unlikely to ever see the inside of the US courtroom, the use of a complaint here is odd.
I think this indictment will have little tangible impact on Mr. Hyok, unless he is an avid international traveler. He is unlikely to face arrest unless he travels to a country that cooperates with US law enforcement or has an extradition treaty with the United States. It is also unlikely to have little impact on North Korea, which will almost certainly deny the allegations. The US Government has already accused North Korea of being linked to these criminal actions, so charging one individual who will never face prosecution seems to be of limited value, at best.
There’s also a potential downside to US law enforcement in publicizing this level of detail about the methodology behind cyber investigations and the sources and types of evidence used to attribute cybercriminal activity to a particular individual. The affidavit shows how capable our law enforcement agencies are in tracking cyber bread crumbs and connecting digital dots. However, the affidavit almost certainly will be studied by cybercriminals and nation state actors on how to improve their own operational security and avoid detection in the future. In my view, that potential cost outweighs the benefit of disclosure in this case.”
Eric Chien, technical director, Symantec Security Response:
“What’s perhaps most interesting about the DOJ indictment is that law enforcement was able to identify Park Jin Hyok as part of the Lazarus group by obtaining emails from his Hotmail and Gmail accounts. Surprisingly, Park used the same email accounts for the legitimate software development work, as well as hacking activity attributed to Lazarus. Park’s resume and image were discovered in his email, which helped law enforcement attribute the hacking activity back to him specifically.
We’ll likely see Lazarus move away from these free email services, given they’ll have to re-tool their entire infrastructure, including email accounts, passwords, servers, etc. now that they know they’re being watched. Lately, the group’s main focus has been on cryptocurrency – most of the attacks from the past year that we believe are related to Lazarus have targeted crypto-related victims (i.e. ICO providers, cryptocurrency banks, mining pool providers, etc.). It’s unlikely that this indictment will stop the group entirely – judging from their history, such as the Sony breach and WannaCry, they’re brazen and not scared of getting caught.”
Benjamin Read, senior manager, cyber espionage analysis, FireEye:
“The US Department of Justice’s criminal complaint describing a North Korean national’s role in a wide range of intrusion activity is consistent with FireEye’s analysis of both the scope and attribution of this activity, which we link to the group TEMP.Hermit. While we do not have insight into all of the incidents described in the complaint, our analysis concurs with the conclusion that the actors responsible for multiple financially motivated intrusions, the WannaCry ransomware and many of the other incidents are linked by shared development resources. FireEye has observed these malicious operations continuing at a high pace over the last two years and impacting numerous organizations.
FireEye assisted the US Government with analysis of malware provided by the Department of Justice in support of this effort; however, we cannot comment on the specifics of that analysis. Our company assessments are made based only on data we have independently obtained through Mandiant incident response, FireEye devices and other sources.”
Sherrod DeGrippo, director of threat research and detection, Proofpoint:
The Lazarus group is still very active. Most recently we profiled the financially motivated arm of the organization and their work targeting South Korean point-of-sale infrastructure and, separately, cryptocurrency wallets and exchanges. The Lazarus Group also includes both disruption and espionage arms engaged in ongoing efforts worldwide.
Mukul Kumar, Chief Information Security Officer and VP of Cyber Practice, Cavirin:
“Though the Sony Breach hasn’t been in the news for a while, the charges prove that we’re getting better at identifying the ultimate sources of breaches. This of course also applies to non state-sponsored hackers, who may have believed that they could not be tracked.”
Bill Conner, CEO, SonicWall:
“The Sony breach and WannaCry ransomware attacks are milestones for those in the IT industry, as they mark a day we’ll never forget and a distinct moment when the cyber war was brought to the attention of those who were unsuspecting to it. Law enforcement agencies and government officials around the world are challenged by the internet’s invisible boarders and its nameless perpetrators when it comes to pursuing or charging cyber criminals. While almost four years have passed since the communications giant sent notifications of its attacks, the U.S. Justice Department’s actions are commendable and should serve as a reminder for consumers and organizations alike to remain vigilant.
In today’s connected world, it is irresponsible to operate online without strict security standards. Total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks, as well as the securing IoT devices to prevent tampering and unauthorized access.”
David Maxwell, Senior Fellow, FDD:
“Although there is a significant time lapse between the hack and this indictment, it shows that the U.S. is tracking the North Korea threat, and that despite the current nuclear diplomacy the U.S. will pursue cyber operatives and hacker/criminals who wish to do the U.S. and the U.S. economy harm.
The U.S. has to address cyber threats, though this is just one very small step toward improving cyber defenses. The U.S. has to make it known it will hunt down hackers who do us harm, whether they are individuals or working for state actors such as North Korea.
It is also important the American public knows its government is going after these threats and will relentlessly pursue the perpetrators of cyber attacks.
It is especially important the U.S. goes after North Korea’s cyber capabilities because Pyongyang is relying on illicit activities for funding and, ultimately, to support regime survival. Cyber provides the regime with a broad range of capabilities: from stealing funds, to espionage, to influencing social media information, to hacking enemies, and to attacking infrastructure. In many ways, cyber is much more practical and valuable than nuclear weapons.
This supports continued maximum pressure on North Korea, as cyber activities help the regime generate revenue through other means that have been stopped because of sanctions.”
Dmitri Alperovitch, CTO and co-founder of CrowdStrike:
“DPRK cyber adversaries represent some of the most active and disruptive threat groups today. Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially-motivated criminal activity — often costing organizations millions of dollars in damages. In the past year, we’ve witnessed DPRK commit to expansive cyber operations in support of their ability to service regime priorities and effectuate national interest. These crimes have impacted the global financial system and nearly every sector of the economy.
One of the most important steps taken towards achieving effective cyber deterrence is the attribution of these attacks and holding the perpetrators accountable, as we witnessed today by the announcement of the US Department of Justice.”