A resume as clue: How US tracked North Korean hackers behind WannaCry virus

Clues found in free email services such as Gmail helped US investigators track down a North Korean hacker charged Thursday with crimes stemming from the 2014 attack on Sony Pictures Entertainment and the 2017 “WannaCry” ransomware operation.

The email services were used for routine business as well as for phishing attacks and other crimes by a company identified as the Korean Expo Joint Venture that’s a front group for the North Korean government, according to a Justice Department complaint filed in Los Angeles on Thursday.

The department lodged criminal charges against Park Jin Hyok, a North Korean national who works for the company and allegedly belongs to a group of conspirators known as the Lazarus Group. The Treasury Department simultaneously imposed sanctions against Park and his employer.

“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” John Demers, head of the Justice Department’s National Security Division, said in a statement.

Sending a resume

The Korean Expo Joint Venture engaged both in hacking and regular business, working with clients on software and information technology projects and using free email services including Gmail, according to the criminal complaint. It said a clue that helped investigators break the case came when Park’s purported superior sent his resume and picture to another company in the course of doing its everyday technology operations.

Investigators accessed about 1,000 email and social media accounts using about 100 search warrants, and used them to piece together a picture of the hackers and their front operation, according to the complaint.

Alphabet Inc.’s Google, which operates Gmail, responded to a request for comment by referring to a recent blog post written by Kent Walker, the company’s senior vice president of Global Affairs. Google, Walker wrote, “identifies bad actors, disables their accounts, warns our users about them, and shares intelligence with other companies and law enforcement officials.”

Eric Chien, technical director of security response at Symantec Corp., a Mountain View, California-based digital security firm that tracks the Lazarus Group and is cited in the Justice Department report, said the hackers are likely to pause their activity to retool their email infrastructure.

“The expectation is there will be a bit of a lull, and then they will be right back at it,” Chien said in an interview. He said the hacking group has “shifted their sights” to cryptocurrency in the last year. The Justice Department said the conspirators also commit wire fraud on behalf of the cash-strapped North Korean government.

The Korean Expo Joint Venture operated in China, North Korea and other places, the Justice Department said in the complaint. Park, the complaint added, is believed to have returned to North Korea from China in 2014.

The charges and sanctions came amid President Donald Trump’s efforts to negotiate with Kim Jong Un’s regime to give up its nuclear arsenal. But officials underscored that North Korea’s growing cyber offensive capabilities also remain a concern.

‘Illicit revenues’

“We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” Treasury Secretary Steven Mnuchin said in a statement. “The United States is committed to holding the regime accountable for its cyber-attacks and other crimes and destabilising activities.”

The massive Sony attack was seen at the time as representing a new, aggressive type of hacking operation because it crippled computers, deleted data and released embarrassing internal emails in retaliation for the company’s film, “The Interview,” a comedy about a CIA plot to kill Kim.

During the 2017 attacks, known as WannaCry, hackers infected computers with malicious software that encrypted data and demanded ransom payments from users to be released. Park was also cited by US officials as part of a conspiracy that conducted the fraudulent transfer of $81 million from the central bank of Bangladesh in February 2016.

The US government has previously said that North Korea was behind the attacks, and North Korea has denied that it was involved.

(This story has been published from an agency feed without modifications to the text. Only the headline has been changed.)