A resume as clue: How US tracked North Korean hackers behind WannaCry virus

US has lodged criminal charges against Park Jin Hyok, a North Korean national who works for the company and allegedly belongs to a group of conspirators known as the Lazarus Group.
Jin Hyok Park of North Korea, a suspected North Korean hacker in the 2014 cyber attack on Sony Corp, is seen in this photo.(FBI handout via Reuters)
Jin Hyok Park of North Korea, a suspected North Korean hacker in the 2014 cyber attack on Sony Corp, is seen in this photo.(FBI handout via Reuters)
Updated on Sep 07, 2018 03:39 PM IST
Copy Link
ByBloomberg

Clues found in free email services such as Gmail helped US investigators track down a North Korean hacker charged Thursday with crimes stemming from the 2014 attack on Sony Pictures Entertainment and the 2017 “WannaCry” ransomware operation.

The email services were used for routine business as well as for phishing attacks and other crimes by a company identified as the Korean Expo Joint Venture that’s a front group for the North Korean government, according to a Justice Department complaint filed in Los Angeles on Thursday.

The department lodged criminal charges against Park Jin Hyok, a North Korean national who works for the company and allegedly belongs to a group of conspirators known as the Lazarus Group. The Treasury Department simultaneously imposed sanctions against Park and his employer.

“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” John Demers, head of the Justice Department’s National Security Division, said in a statement.

Sending a resume

The Korean Expo Joint Venture engaged both in hacking and regular business, working with clients on software and information technology projects and using free email services including Gmail, according to the criminal complaint. It said a clue that helped investigators break the case came when Park’s purported superior sent his resume and picture to another company in the course of doing its everyday technology operations.

Investigators accessed about 1,000 email and social media accounts using about 100 search warrants, and used them to piece together a picture of the hackers and their front operation, according to the complaint.

Alphabet Inc.’s Google, which operates Gmail, responded to a request for comment by referring to a recent blog post written by Kent Walker, the company’s senior vice president of Global Affairs. Google, Walker wrote, “identifies bad actors, disables their accounts, warns our users about them, and shares intelligence with other companies and law enforcement officials.”

Eric Chien, technical director of security response at Symantec Corp., a Mountain View, California-based digital security firm that tracks the Lazarus Group and is cited in the Justice Department report, said the hackers are likely to pause their activity to retool their email infrastructure.

“The expectation is there will be a bit of a lull, and then they will be right back at it,” Chien said in an interview. He said the hacking group has “shifted their sights” to cryptocurrency in the last year. The Justice Department said the conspirators also commit wire fraud on behalf of the cash-strapped North Korean government.

The Korean Expo Joint Venture operated in China, North Korea and other places, the Justice Department said in the complaint. Park, the complaint added, is believed to have returned to North Korea from China in 2014.

The charges and sanctions came amid President Donald Trump’s efforts to negotiate with Kim Jong Un’s regime to give up its nuclear arsenal. But officials underscored that North Korea’s growing cyber offensive capabilities also remain a concern.

‘Illicit revenues’

“We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” Treasury Secretary Steven Mnuchin said in a statement. “The United States is committed to holding the regime accountable for its cyber-attacks and other crimes and destabilising activities.”

The massive Sony attack was seen at the time as representing a new, aggressive type of hacking operation because it crippled computers, deleted data and released embarrassing internal emails in retaliation for the company’s film, “The Interview,” a comedy about a CIA plot to kill Kim.

During the 2017 attacks, known as WannaCry, hackers infected computers with malicious software that encrypted data and demanded ransom payments from users to be released. Park was also cited by US officials as part of a conspiracy that conducted the fraudulent transfer of $81 million from the central bank of Bangladesh in February 2016.

The US government has previously said that North Korea was behind the attacks, and North Korea has denied that it was involved.

(This story has been published from an agency feed without modifications to the text. Only the headline has been changed.)

SHARE THIS ARTICLE ON
Close Story
QUICKREADS

Less time to read?

Try Quickreads

  • Professor Ajay Agrawal, who was honoured with the Order of Canada in the 2022 list. (Credit: University of Toronto)

    Two Indo-Canadian academics honoured with Order of Canada

    Two Indo-Canadian academics, working on research to advance the betterment of mankind, have been honoured with one of the country's most prestigious awards, the Order of Canada. Their names were in the list published by the office of the governor-general of Canada Mary Simon. Both have been invested (as the bestowal of the awards is described) into the Order as a Member. They are professors Ajay Agrawal and Parminder Raina.

  • SpaceX founder and chief engineer Elon Musk.

    Elon Musk's Twitter hiatus, in 2nd week now,  generates curiosity 

    The world's richest person, Elon Musk, has not tweeted in about 10 days and it can't go unnoticed. The 51-year-old business tycoon has 100 million followers on the microblogging site, which he is planning to buy. Since April, he has been making headlines for the $44 billion deal and his comments and concerns about the presence of a large number of fake accounts on Twitter.

  • A Taliban fighter stands guard at a news conference about a new command of hijab by Taliban leader Mullah Haibatullah Akhundzada, in Kabul, Afghanistan.

    Taliban's reclusive supreme leader attends gathering in Kabul: Report

    The Taliban's reclusive supreme leader Haibatullah Akhundzada joined a large gathering of nationwide religious leaders in Kabul on Friday, the state news agency said, adding he would give a speech. The Taliban's state-run Bakhtar News Agency confirmed the reclusive leader, who is based in the southern city of Kandahar, was attending the meeting of more than 3,000 male participants from around the country, aimed at discussing issues of national unity.

  • James Topp, a Canadian Forces veteran who marched across Canada protesting against the Covid-19 vaccines mandates, speaks to supporters as he arrives at the Tomb of the Unknown Soldier and the National War Memorial ahead of Canada Day in Ottawa, Ontario, on Thursday. (REUTERS)

    July 1: Canada to mark 155th anniversary of its formation

    As the country prepares to celebrate the 155th anniversary of the formation of the Canadian Confederation, Canada Day, the traditional centre of festivities, Parliament Hill in Ottawa, will be off limits as protesters linked to the Freedom Convoy begin gathering in the capital for the long weekend. Various events have been listed by protesters including a march to Parliament Hill on Friday.

  • This image of a "Most Wanted" poster obtained from the FBI on June 30, 2022, shows Ruja Ignatova. - Ignatova, dubbed the "Crypto Queen." after she raised billions of dollars in a fraudulent virtual currency scheme was placed on the FBI's 10 most wanted fugitives list June 30, 2022. (Photo by Handout / FBI / AFP) / 

    Bulgaria's ‘Crypto Queen’ Ruja Ignatova added to FBI's most-wanted list

    A Bulgarian woman dubbed the "Crypto Queen" afteIgnatovahe raised billions of dollars in a fraudulent virtual currency scheme was placed on the FBI's 10 most wanted list Thursday. The Federal Bureau of Investigation put up a $100,000 reward for Ruja Ignatova, who disappeared in Greece in October 2017 around the time US authorities filed a sealed indictment and warrant for her arrest.

SHARE
Story Saved
×
Saved Articles
Following
My Reads
Sign out
New Delhi 0C
Friday, July 01, 2022