Threat Management, Breach, Threat Intelligence, Data Security

Justice Dept. charges North Korea spy in Sony, WannaCry attacks

Just hours after President Trump tweeted his thanks to North Korean leader Kim Jong-un for his “unwavering faith in President Trump,” the Justice Department charged North Korean spy Park Jin-hyok with computer fraud for the Sony hack and the costly WannaCry 2.0 attack that wreaked havoc around the globe.

“The complaint alleges that the North Korean government, through a state-sponsored group; robbed a central bank and citizens of other nations; retaliated against free speech in order to chill it half a world away; and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage,” Assistant Attorney General for National Security John Demers said in a release. "The scale and scope of the cybercrimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations.”

WannaCry ransomware blazed a destructive path around the world last spring, wreaking havoc on hospitals, the financial sector, FedEx, and companies of all stripes.

North Korea was fingered early on as the likely culprit behind the attacks with speculation pinning it specifically on the Lazarus Group as believed to have been behind the 2014 Sony hack. And last December then Homeland Security Advisor Tom Bossert said flat out “North Korea is directly responsible,” for WannaCry, which he referred to as widespread, costly and “indiscriminately reckless.”

“We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree,” Bossert wrote in a Wall Street Journal opinion piece at the time. “The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government.”

The Justice Department’s charge “describing a North Korean national’s role in a wide range of intrusion activity is consistent with FireEye’s analysis of both the scope and attribution of this activity, which we link to the group TEMP.Hermit,” said Benjamin Read, senior manager, cyberespionage analysis at FireEye, which analyzed the malware provided by the Justice Department in its investigation of the attacks. “While we do not have insight into all of the incidents described in the complaint, our analysis concurs with the conclusion that the actors responsible for multiple financially motivated intrusions, the WannaCry ransomware and many of the other incidents are linked by shared development resources.”

Read said the security firm “has observed these malicious operations continuing at a high pace over the last two years and impacting numerous organizations.”

WannaCry was delivered via the backdoor malware DoublePulsar and the Microsoft exploit EternalBlue – tools allegedly created by the U.S. National Security Agency and subsequently leaked by The Shadow Brokers hacking group. The wormable ransomware spread to more than 150 nations in the first three days. 

“The 2014 Sony Pictures Entertainment wiper attack and 2017 WannaCry Ransom worm attack were both world firsts in terms of the aggressiveness of data destruction leveled against Western companies,” said Rafe Pilling, researcher for Secureworks. “Each event costing huge sums to investigate and remediate and in the case of WannaCry, potentially endangering life through disruption of systems supporting national health care providers.”

Park, who sources cited by the New York Times said apparently works for North Korea’s CIA-like agency and is believed to be in the country right now, was also placed on the Treasury Department’s sanctions list.

“We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” Treasury Secretary Steve Mnuchin said.

“While it may appear largely symbolic, the indictment demonstrates that nations cannot conduct these reckless acts of disruption without consequences,” said Pilling. “The U.S., working with international partners, has the ability to not just identify the Nation responsible but the specific individuals that perpetrate costly and disruptive cyberattacks.”

The Trump administration’s treatment has been a mixed bag – often criticizing the country’s cyberactivities then praising the country’s leader.

The president tweeted Thursday morning that the two leaders would “get it done together,” presumably a reference to improving relations between the two countries and making progress toward denuclearizing the Korean peninsula as discussed at the summit, though talks have more recently broken down.

In June North Koreas's former spy chief credited with building the country’s hacking operation that brought down Sony’s networks and pilfered money from the SWIFT system met with Secretary of State Mike Pompeo while in the Oval Office with Trump.

Vice Chairman Kim Yong Chol, a four-star general who headed up North Korea’s intelligence agency, hand-delivered a written method to Trump from Kim Jong-un regarding the two leaders’ summit in Singapore on June 12.

Gen. Kim had been sanctioned by the U.S. and others for his hacking activities.

The president in his tweet that the two leaders would “get it done together,” presumably a reference to improving relations between the two countries and making progress toward denuclearizing the Korean peninsula as discussed at the summit, though talks have more recently broken down.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.