A resume as clue: How US tracked North Korean hackers behind WannaCry virus

Clues found in free email services such as Gmail helped US investigators track down a North Korean hacker charged Thursday with crimes stemming from the 2014 attack on Sony Pictures Entertainment and the 2017 “WannaCry” ransomware operation.
The email services were used for routine business as well as for phishing attacks and other crimes by a company identified as the Korean Expo Joint Venture that’s a front group for the North Korean government, according to a Justice Department complaint filed in Los Angeles on Thursday.
The department lodged criminal charges against Park Jin Hyok, a North Korean national who works for the company and allegedly belongs to a group of conspirators known as the Lazarus Group. The Treasury Department simultaneously imposed sanctions against Park and his employer.
“The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” John Demers, head of the Justice Department’s National Security Division, said in a statement.
Sending a resume
The Korean Expo Joint Venture engaged both in hacking and regular business, working with clients on software and information technology projects and using free email services including Gmail, according to the criminal complaint. It said a clue that helped investigators break the case came when Park’s purported superior sent his resume and picture to another company in the course of doing its everyday technology operations.
Investigators accessed about 1,000 email and social media accounts using about 100 search warrants, and used them to piece together a picture of the hackers and their front operation, according to the complaint.
Alphabet Inc.’s Google, which operates Gmail, responded to a request for comment by referring to a recent blog post written by Kent Walker, the company’s senior vice president of Global Affairs. Google, Walker wrote, “identifies bad actors, disables their accounts, warns our users about them, and shares intelligence with other companies and law enforcement officials.”
Eric Chien, technical director of security response at Symantec Corp., a Mountain View, California-based digital security firm that tracks the Lazarus Group and is cited in the Justice Department report, said the hackers are likely to pause their activity to retool their email infrastructure.
“The expectation is there will be a bit of a lull, and then they will be right back at it,” Chien said in an interview. He said the hacking group has “shifted their sights” to cryptocurrency in the last year. The Justice Department said the conspirators also commit wire fraud on behalf of the cash-strapped North Korean government.
The Korean Expo Joint Venture operated in China, North Korea and other places, the Justice Department said in the complaint. Park, the complaint added, is believed to have returned to North Korea from China in 2014.
The charges and sanctions came amid President Donald Trump’s efforts to negotiate with Kim Jong Un’s regime to give up its nuclear arsenal. But officials underscored that North Korea’s growing cyber offensive capabilities also remain a concern.
‘Illicit revenues’
“We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” Treasury Secretary Steven Mnuchin said in a statement. “The United States is committed to holding the regime accountable for its cyber-attacks and other crimes and destabilising activities.”
The massive Sony attack was seen at the time as representing a new, aggressive type of hacking operation because it crippled computers, deleted data and released embarrassing internal emails in retaliation for the company’s film, “The Interview,” a comedy about a CIA plot to kill Kim.
During the 2017 attacks, known as WannaCry, hackers infected computers with malicious software that encrypted data and demanded ransom payments from users to be released. Park was also cited by US officials as part of a conspiracy that conducted the fraudulent transfer of $81 million from the central bank of Bangladesh in February 2016.
The US government has previously said that North Korea was behind the attacks, and North Korea has denied that it was involved.
(This story has been published from an agency feed without modifications to the text. Only the headline has been changed.)
-
Two Indo-Canadian academics honoured with Order of Canada
Two Indo-Canadian academics, working on research to advance the betterment of mankind, have been honoured with one of the country's most prestigious awards, the Order of Canada. Their names were in the list published by the office of the governor-general of Canada Mary Simon. Both have been invested (as the bestowal of the awards is described) into the Order as a Member. They are professors Ajay Agrawal and Parminder Raina.
-
Elon Musk's Twitter hiatus, in 2nd week now, generates curiosity
The world's richest person, Elon Musk, has not tweeted in about 10 days and it can't go unnoticed. The 51-year-old business tycoon has 100 million followers on the microblogging site, which he is planning to buy. Since April, he has been making headlines for the $44 billion deal and his comments and concerns about the presence of a large number of fake accounts on Twitter.
-
Taliban's reclusive supreme leader attends gathering in Kabul: Report
The Taliban's reclusive supreme leader Haibatullah Akhundzada joined a large gathering of nationwide religious leaders in Kabul on Friday, the state news agency said, adding he would give a speech. The Taliban's state-run Bakhtar News Agency confirmed the reclusive leader, who is based in the southern city of Kandahar, was attending the meeting of more than 3,000 male participants from around the country, aimed at discussing issues of national unity.
-
July 1: Canada to mark 155th anniversary of its formation
As the country prepares to celebrate the 155th anniversary of the formation of the Canadian Confederation, Canada Day, the traditional centre of festivities, Parliament Hill in Ottawa, will be off limits as protesters linked to the Freedom Convoy begin gathering in the capital for the long weekend. Various events have been listed by protesters including a march to Parliament Hill on Friday.
-
Bulgaria's ‘Crypto Queen’ Ruja Ignatova added to FBI's most-wanted list
A Bulgarian woman dubbed the "Crypto Queen" afteIgnatovahe raised billions of dollars in a fraudulent virtual currency scheme was placed on the FBI's 10 most wanted list Thursday. The Federal Bureau of Investigation put up a $100,000 reward for Ruja Ignatova, who disappeared in Greece in October 2017 around the time US authorities filed a sealed indictment and warrant for her arrest.