On the Monday morning before the Thanksgiving holiday in 2014, employees at the Culver City headquarters of Sony Pictures Entertainment found their computer screens taken over by an image of a red skeleton, and a message: “We’ve already warned you, and this is just a beginning.” It was the start of a months-long nightmare in which hackers, calling themselves “Guardians of Peace,” made public the personal emails, salaries, and even medical records of Sony’s workers. For years, the cybersecurity community has pinned the attack on North Korea. Thursday, the Justice Department made it official, issuing a sweeping complaint against a single Hermit Kingdom hacker for not just the Sony breach, but for 2017's devastating WannaCry ransomware strain, a brazen heist of $81 million from Bangladesh in 2016, and more.
The complaint alleges that one programmer, Park Jin Hyok, was a sort of Zelig of North Korean hacking, having a hand in numerous offensive cyberoperations dating back to at least 2014. And while it highlights Sony, WannaCry, and the Bangladesh bank theft, it makes clear that the hacker’s activity extended far beyond those blockbuster incidents—and that it continues today.
“The scope and damage of the computer intrusions perpetrated and caused by the subjects of this investigation, including Park, is virtually unparalleled,” reads the complaint.
While the complaint singles out Park, prosecutors were also very clear that he did not act alone–an unsurprising fact given the magnitude of the operations. The DoJ says that Park worked for a company called Chosun Expo Joint Venture, an alleged front for the North Korean government. He spent two years working for CEJV in China, apparently fielding legitimate jobs for paying clients, but had returned to North Korea by the time of the Sony hack.
“Park is the only individual charged in the criminal complaint, but the complaint makes very clear that he worked with other conspirators to effect all of these actions,” said a senior official in the Justice Department, speaking on background. Officials noted also that the investigation is ongoing.
As for why only Park was named in the complaint, the nature of cybersecurity investigations makes it challenging to build enough evidence to attribute attacks to a given group or country, much less an individual. Consider that US officials had already publicly condemned North Korea for most of the incidents the charges outline; getting from there to a specific name, backed by dozens of pages of evidence, takes time. Given that, it's likely that Park was merely the only conspirator the government has been able to get enough evidence on to name so far.
“When you find this type of information, oftentimes it’s via a mistake by the operator,” says Ben Read, senior manager of cyberespionage analysis at security firm FireEye. “Being able to tie it back to an individual can be very difficult, depending on how fastidious the operators are.”
Park apparently wasn’t quite fastidious enough. Investigators say they found multiple connections between an email account of Park’s and that of an alias, “Kim Hyon Woo.” The Kim email address “was used to subscribe or was accessed by the same computer as at least three other email or social media accounts that were each used to target multiple victims, including SPE and Bangladesh Bank,” according to the complaint.
The charges also provide more technical detail into North Korea’s various hacking efforts, many of which started with by now all-too-familiar spear-phishing campaigns. But they also demonstrate the impressive breadth of digital tools at North Korea’s disposal, something long appreciated among cybersecurity researchers, but seldom laid so bare.
“What the wide variety of malware tells you about this is that they’re making a significant investment in this. It takes people, it takes time, it takes money to create these custom tools,” says Read. “They have the resources to develop this stuff custom. That doesn’t necessarily make them unique, but it puts them in the top tier of nation states.”
It’s hard to overstate the magnitude of North Korea’s cyberactivity over the years. The Sony breach may seem almost quaint in an age of mega-breaches that have exposed the personal info of hundreds of millions of people. But while smaller in scale, the incredibly sensitive nature of the documents released publicly has not since been matched (the OPM hack was arguably more sensitive, but the information was never publicly released). Which makes sense, given the motive. While most hacks of this nature focus on intelligence gathering or financial gain, the Sony attack sought retribution, specifically for the planned release of The Interview, a Sony-produced Seth Rogen movie that depicted the assassination of North Korean leader Kim Jong-un.
The techniques remained fairly consistent between the attack of Sony, AMC Theaters, and other The Interview-related hacks and North Korea’s assault on the SWIFT banking system. The complaint says that same email address, firstname.lastname@example.org, researched contact information for actors in The Interview and sent spearphishing emails to employees of Bangladesh Bank. Some of the same malware was used in both campaigns as well. As ransomware, WannaCry had different characteristics than the Sony and SWIFT hacks, but investigators made the alleged connection using shared IP and email addresses.
Similar to the Sony hack, the Bangladesh heist was just the most public of multiple attempted banking thefts; North Korea hit financial institutions in Europe, Asia, Africa, North America, and South America. Hackers attempted to take $1 billion off of Bangladesh Bank in all, but were stopped short. And had WannaCry not accidentally featured a built-in “kill switch” that severely limited its spread, it could have caused unparalleled damage around the world.
While the US and its international partners have leveled numerous sanctions against North Korea, it's notable that this is the first legal action the DoJ has taken against its hackers. It comes on the heels of high-profile indictments against Russian misinformation and military intelligence agents, as well as Iranian hackers who had targeted US universities. “These activities run afoul of norms of acceptable, safe behavior in cyberspace, and the international community must address them when we can,” said a senior Justice Department official.
Still, the indictment will likely prove more symbolic than anything. North Korea is a notoriously isolated country; the idea that any of its elite hackers could somehow fall into the hands of US law enforcement is unlikely, to say the least. The complaint’s real utility may come from the extent to which it details North Korea’s efforts, better equipping the private sector to defend against future intrusions.
“In general, more information is almost always better,” says Read. “The insight into how an adversary like this works can help defenders plan on what they might be up to.”
The complaint also also comes at a delicate time in US-North Korean relationships. After months of belittling Kim Jong-un and threatening “fire and fury” in the event of nuclear escalation, President Trump has gotten to a détente with the Hermit Kingdom. But given North Korea’s seeming, and predictable, unwillingness to actually denuclearize, it’s unclear how long that will last.
Just a few hours before the charges became public, Trump did issue a message directed at his North Korean counterpart. “Kim Jong Un of North Korea proclaims ‘unwavering faith in President Trump,’” the president tweeted. “Thank you to Chairman Kim. We will get it done together!”