US Department of Justice charges alleged North Korean spy Park Jin Hyok over WannaCry and Sony Pictures attacks

Lazarus Group-linked Park Jin Hyok worked for North Korean front company in China, 179-page US Department of Justice indictment claims

An alleged spy who the US Department of Justice is linking with the North Korean state hackers Lazarus Group has been indicted today [PDF] for his roles in the 2014 attack on Sony Pictures and the WannaCry virus.

Park Jin Hyok (also known as Pak Jin Hek) was involved in the attacks on behalf of North Korea's Reconnaissance General Bureau (RGB), the country's military intelligence agency, the indictment claims.

He is also linked to attacks on banks and has been connected by the US Department of Justice, in particular, to the attempted $951 million cyber heist on Bangladesh Bank.

The DoJ claims that the North Korean was in the US just before the 2014 attack on Sony Pictures Entertainment, but left the country just before the attack commenced.

"The subjects targeted individuals and entities associated with the production of The Interview and employees of SPE, sending them malware that the subjects used to gain unauthorized access to SPE's network. Once inside SPE's network, the subjects stole movies and other confidential information, and then effectively rendered thousands of computers inoperable," claims the indictment.

It also claims that Park and his group were behind the cyber heist at Bangladesh Bank, successfully stealing $81 million before the series of SWIFT transfers were stopped, as well as a series of other financial institutions around the world since 2015.

They have also targeted defence contractors, universities, technology companies, virtual currency exchanges and US electrical utilities.

The indictment also explicitly connects Park and, by extension, the North Korean government in the creation and propagation of the WannaCry virus, that crippled computers across the world in May 2017.

"While some of these computer intrusions or attempted intrusions occurred months or years apart, and affected a wide range of individuals and businesses, they share certain connections and signatures, showing that they were perpetrated by the same group of individuals (the subjects)," the indictment continues.

"For instance, many of the intrusions were carried out using the same computers or digital devices, using the very same accounts or overlapping sets of email or social media accounts, using the same aliases, and using the same cyber infrastructure, including the same IP addresses and proxy services."

Park, it adds, "was a programmer employed by the government of North Korea, and worked for Chosun Expo, a North Korean government front company affiliated with one of the North Korean government's hacking organizations, sometimes known as ‘Lab 110', starting in at least 2002. Some programmers employed by Chosun Expo stationed abroad - including Park - did some work for paying clients on non-malicious programming projects.

"In particular, Park worked among a team of North Korean programmers employed by Chosun Expo in Dalian, China, who did programming and information technology projects for paying clients around the world, some of whom knew they were employing North Korean programmers. Although Park worked in China for at least some time between 2011 and 2013, he appears to have returned to North Korea by 2014, before the cyber-attack on Sony Pictures."

The indictment of Park not only firms up claims made over the years about the North Korean government's involvement in cyber crime, but also indicates that other individuals alleged to be behind the attack could also be identified and outed by the DoJ.

Computing's Cloud & Infrastructure Summit Live returns on Wednesday 19 September, featuring panel discussions with end-users, strategic and technical streams and a session with guest speaker Inma Martinez. The event is FREE to qualifying IT leaders and senior IT pros, but places are going fast. Register now!