The Washington PostDemocracy Dies in Darkness

U.S. charges North Korean operative in conspiracy to hack Sony Pictures, banks

Sony Pictures canceled the release of “The Interview,” a satire depicting the assassination of North Korean leader Kim Jong-Un, in 2014. (Damian Dovarganes/AP)

The Justice Department announced charges Thursday against an alleged hacker for the North Korean government in connection with a series of major cyberattacks including the 2014 assault on Sony Pictures Entertainment, marking the first time the United States has brought such charges against a Pyongyang operative.

Park Jin Hyok, officials said, is accused of being part of a conspiracy to hack on behalf of North Korea’s Reconnaissance General Bureau (RGB), the military intelligence agency that controls most of the country’s cyber-capabilities.

Read the criminal complaint

He and other unidentified operatives are accused of being members of the Lazarus Group, which also has been implicated in the audacious attempt to steal $1 billion from the Bangladesh Bank in 2016, and to the WannaCry 2.0 virus that affected more than 230,000 computers in 150 countries last year.

On Dec. 19, the Trump administration said North Korea is behind the WannaCry cyberattack that crippled hospitals, banks and other companies across the world. (Video: Reuters)

The charges against Park, detailed in a 179-page complaint, come as President Trump seeks North Korea’s commitment to fully abandon its nuclear weapons program. They were filed in June, days before Trump met North Korean leader Kim Jong Un at a summit in Singapore, but not unsealed until Wednesday.

Pyongyang has denied allegations of hacking.

“The scale and scope of the cybercrimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said Assistant Attorney General John Demers.

The Treasury Department on Thursday also imposed sanctions against Park and the Chosun Expo Joint Venture, a state-owned firm that employed him in Dalian, China. Officials said Park and others operated in North Korea, China and other countries that were not identified. The sanctions allow the United States to seize any of their U.S. assets and prohibit Americans from taking part in any transactions with them.

North Korea was the last of the United States’ four major foreign cyber-adversaries to have hacking-related charges brought against government operatives.

Under the Obama administration, indictments were issued in 2014 against five Chinese military officers for alleged cyber-enabled economic espionage, and in 2016 against seven Iranian hackers for allegedly disrupting bank websites and attempting to disrupt a small New York dam. Last year, the Justice Department obtained indictments of two Russian spies and two criminal hackers in connection with the theft of 500 million Yahoo user accounts in 2014.

North Korea, though reclusive and impoverished, has been highly aggressive in cyberspace and was among the first to deploy disruptive attacks on a large scale — primarily against its arch foe South Korea.

“North Korea’s cyber-forces are among the most disruptive in the world today,” said Dmitri Alperovitch, co-founder of CrowdStrike, a cyberthreat intelligence firm. “Their tradecraft continues to grow in sophistication, and their crimes have harmed the global financial system and nearly every sector of the world economy.’’

Park, 34, is a computer programmer educated at a North Korean university who since at least 2002 conducted cyber-operations through Chosun Expo on behalf of Lab 110, or Bureau 110, one of the government’s hacking organizations, the complaint states. He worked in Dalian, near the North Korea border, between 2011 and 2013, returning to North Korea by 2014, before the cyberattack on Sony, officials said.

Shortly before Thanksgiving that year, North Korea-linked hackers wiped data from thousands of Sony computers and stole confidential emails whose disclosure forced the resignation of a top executive. North Korea also targeted AMC theaters, which planned to show a satirical film depicting Kim’s assassination, and a British production company that was planning to produce another feature about North Korea, according to the complaint.

The campaign, carried out as a “false flag” operation by a group calling itself Guardians of the Peace, was allegedly launched in retaliation for the studio’s planned release of the satirical movie, “The Interview.” Earlier that year, Pyongyang had demanded that the studio pull the film. In December, following a torrent of embarrassing leaks and escalating threats, Sony said it would cancel the film’s release.

U.S. attributes Sony cyberattack to North Korea

“These were not just attacks against computers,” said Tracy Wilkison, a senior federal prosecutor in Los Angeles where the charges were filed. “These were attacks against freedom of speech.”

President Barack Obama, angered by what he saw as an assault on a core American value, in January 2015 directed that sanctions be imposed on Pyongyang, including on the RGB.

Around the same time that Park and other Lazarus Group members conducted the Sony attack, they began targeting banks, the complaint alleges. They used some of the same Gmail accounts and malware employed against Sony, the complaint says.

In 2016, world banking officials were shocked to discover hackers had siphoned $81 million from accounts at Bangladesh Bank in what FBI officials called the largest cyberheist in history. Investigators have said that attack was particularly egregious in that one government attempted to steal $1 billion from another government — and nearly succeeded.

The hackers, officials say, gained access to the bank’s interface with a global electronic messaging system known as SWIFT, which is used to direct money transfers between financial institutions.

Posing as bank employees, the hackers sent fraudulent messages to the Federal Reserve Bank of New York, ordering large money transfers to accounts in other countries. Some $81 million from Bangladesh Bank’s account was sent to banks in the Philippines. Most of that money was sent to casinos in Manila and never recovered.

In May 2017, officials say, RGB-sponsored hackers deployed WannaCry 2.0, a computer virus paired with ransomware that encrypted data on victims’ computers and demanded money to restore access. It significantly affected service at Britain’s National Health Service. U.S. and British intelligence agencies linked North Korea to the worm. Researchers say the virus was accidentally let loose before it was ready, as an operational error made the ransom payments easy to track — including by law enforcement.

According to U.S. intelligence agencies, North Korea has attempted intrusions into banks in more than 20 countries since the beginning of 2016. At least 1,000 North Korea cyber-operatives live and work abroad, mostly in China, where there is better access to the Internet, according to the agencies. Some also live in Malaysia.

The complaint, which drew upon the expertise of cybersecurity firm Mandiant, included copious technical details describing the attacks and linking the techniques to the Lazarus Group. One chart shows email and alias email accounts allegedly used by Park that were linked to cyberattacks on Sony and other victims.

Such detail lends credibility to the charges but risks divulging information that may allow an attacker to change methods, said Luke Dembosky, a former senior Justice Department official who was involved in the department’s response to the Sony attack.

“This is obviously meant to demonstrate to the public and our allies the United States’ ability to identify nation-state hackers,” said Dembosky, now a cyber-lawyer at Debevoise & Plimpton, “and to serve as a warning to others that it is not so easy to remain anonymous when the government commits to finding you.”

Carol Morello contributed to this report.