US agencies see alliance between North Korean, Chinese hackers
Legal evidence casts a harsh light on North Korea's cyber activities but Federal Court case comes at a delicate time for Washington's ties with Pyongyang
At a time when Washington is cautiously hopeful of a breakthrough in its long-troubled relations with Pyongyang, senior US officials are making strong allegations about the regime’s cyber crimes.
On Sept 6, the US Department of Justice made public a criminal complaint which it filed in a federal court in California in June. It has charged “Park Jin Hyok… a North Korean citizen, for his involvement in a conspiracy to conduct multiple destructive cyber-attacks around the world resulting in damage to massive amounts of computer hardware, and the extensive loss of data, money and other resources.”
The DOJ alleges that not only was Park a central player in some of the most sensational hacks of recent times, it also claims he was a member of a Pyongyang-based cyber-espionage unit.
“The complaint alleges that Park was a member of a government-sponsored hacking team known to the private sector as the ‘Lazarus Group,’ and worked for a North Korean government front company, Chosun Expo Joint Venture (aka ‘Korea Expo Joint Venture’ or ‘KEJV’), to support the DPRK government’s malicious cyber actions,” a DOJ press release accompanying the indictment said.
“The Conspiracy’s malicious activities include the creation of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment (SPE); and numerous other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.”
US agencies point the finger at Pyongyang
The FBI’s Los Angeles office was in charge of the investigation. FBI director Christopher Wray used the DOJ indictment as an opportunity to accuse Pyongyang of a wide range of online criminal activities. “We stand with our partners to name the North Korean government as the force behind this destructive global cyber campaign,” Wray said in a press conference. “This group’s actions are particularly egregious as they targeted public and private industries worldwide – stealing millions of dollars, threatening to suppress free speech, and crippling hospital systems.”
Steven Mnuchin, secretary of the US Department of the Treasury, also waded in. After announcing that the Treasury would impose further penalties upon North Korea, he pointed his finger directly at the North Korean leadership.
“We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” he said at the same press conference. “The United States is committed to holding the regime accountable for its cyber-attacks and other crimes and destabilizing activities.”
Park was identified as a computer programmer who worked for over a decade for Chosun Expo Joint Venture, which had offices in China and North Korea. It is affiliated with Lab 110, a component of North Korean military intelligence, according to the DOJ.
Days after the indictment was made public, North Korea shot back. It said that Park does not exist, but is a fictitious character created by the US government.
A China-North Korean hacking alliance?
The cyber-attack on Sony Pictures Entertainment (SPE) was conducted in 2014 at approximately the same time that the DOJ announced that it was seeking five Chinese military officers who had conducted or attempted cyber attacks on several US companies. While there appears to be no direct connection between these two events, some objectives of North Korea and China overlap, indicating coordination could be taking place between the two governments.
“In 2016 and 2017, the Conspiracy targeted a number of US defense contractors, including Lockheed Martin,” the DOJ reported. Those hacks used emails designed to allow hackers to penetrate and manipulate computer networks known as spear-phishing emails.
“These malicious emails used some of the same aliases and accounts seen in the SPE attack, at times accessed from North Korean IP addresses, and contained malware with the same distinct data table found in the malware used against SPE and certain banks,” the DOJ continued. “The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea. The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful.”
Facebook, Google used to test spear-phishing
Alongside the complaint, an extremely detailed 179-page affidavit was released by the DOJ. Both Facebook and Google are named in the affidavit because the hackers used both to engage in test spear-phishing techniques.
Throughout the affidavit – in instances such as the THAAD episode – there are serious questions raised concerning the extent of the mutual involvement of Chinese and North Korean government officials. What is evident is that the activity went on for years – between 2011 and 2017 – and that it involved deliberate cyber attacks and intrusions into US commercial and government entities. The DOJ language leaves little doubt that Park and unnamed co-conspirators were given the nod of approval by Beijing and Pyongyang.
The affidavit notes: “Most North Korean citizens do not have access to global websites and social media such as Google, Facebook, or Twitter. Accordingly, the use of accounts identified herein as accessed from inside North Korea was likely regime-sanctioned and approved.”
The DOJ investigation alleges a web of ties, both commercial and military. “PARK was at times dispatched to China, along with others, to work for Chosun Expo (in Dalian, China) for paying clients on non-malicious software and information technology projects. The Chosun Expo Accounts included email accounts that he used while conducting this fee-generating business. On January 10, 2011, an email was sent from an email account used by PARK’s “Department Head” to the head of a non-DPRK company that provided financial market information services. That non-DPRK company employed programmers in Dalian, China, and later in North Korea, and the head of the non-DPRK company had met with military personnel in North Korea.”
By indicating the malice employed and the sophistication of Pyongyang’s cyber assets, as well as their apparent coordination with Beijing, the DOJ action may prove diplomatically awkward at a time when North Korea seeks to be seen as a responsible negotiating party on the global stage.