Connect with us

Hi, what are you looking for?



Opsec Mistakes Allowed U.S. to Link North Korean Man to Hacks

A 34-year-old North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the Lazarus Group. An affidavit filed by an FBI special agent reveals how investigators linked the man to the notorious threat actor.

A 34-year-old North Korean national has been charged by U.S. authorities over his alleged involvement in the cyberattacks carried out by the Lazarus Group. An affidavit filed by an FBI special agent reveals how investigators linked the man to the notorious threat actor.

Park Jin Hyok has been charged with one count of conspiracy to commit computer fraud and abuse and one count of conspiracy to commit wire fraud. The FBI has added him to its Cyber Most Wanted list and the U.S. Department of Treasury announced sanctions against Park and the North Korean company he worked for.

The criminal complaint, filed on June 8 and made public on Thursday, describes both successful and unsuccessful campaigns of the Lazarus Group, but it focuses on four operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of U.S. defense contractors in 2016 and 2017.

Governments and members of the cybersecurity industry previously linked most of these attacks to North Korea and the Lazarus Group (aka Hidden Cobra) based on shared code and infrastructure. However, the criminal complaint made public on Thursday reveals the apparent operational security (opsec) mistakes that led to investigators accusing Park of being involved in the campaigns.

Park is a North Korean programmer who until 2014, just before the Lazarus attack on Sony, worked in the China-based offices of Chosun Expo Joint Venture, also known as Korea Expo Joint Venture or KEJV. The company, which is said to be a front for the North Korean government, has been linked to the country’s military intelligence and it allegedly supports Pyongyang’s cyber activities.

According to investigators, Park worked at KEJV’s offices in Dalian, Liaoning, China, a province that borders North Korea. A résumé discovered by agents showed that he had been employed as a developer and that he had programming skills in – among many others – Visual C++, the language used to create many of Lazarus’ tools.

One of the personas used by Lazarus to set up its operations was “Kim Hyon Woo” and several links have been found between this moniker and Park’s online activities, including shared access to files, common names, and common IP addresses.

Links between Park Jin Hyok and Lazarus Group

Agents discovered that one of the email accounts used by Park, ttykim1018(at), and one account used by Kim Hyon Woo, tty198410(at), both had the “tty” string in their names.

Advertisement. Scroll to continue reading.

But that’s not the only connection. One email had been added to the other’s address book and the Kim Hyon Woo address was the only one allowed to access an archive file saved in a remote file storage account associated with Park’s address.

Park’s address was also used to register a video account that shared profile information with a video account and a payment account created by Kim Hyon Woo.

Lazarus’ tty198410 account was used to register a Gmail account named mrkimjin123(at) This address is noteworthy as it incorporates both the Kim and Jin names.

Another email address, which Park apparently used for official KEJV communications, surigaemind(at), received and sent messages addressed to and signed by a “Mr. Kim Jin” and “Kim Jin.”

Another important piece of evidence linking Park’s KEJV and personal accounts to Lazarus operational accounts registered by the Kim Hyon Woo persona is the discovery of common IP addresses – based in North Korea and elsewhere – that were used to access the accounts.

Investigators also discovered that the Brambul malware, which the U.S. recently attributed to Hidden Cobra, used various collector email accounts to store information stolen from compromised devices. The same North Korean IP address was used to access one of the Brambul collector accounts and KEJV-linked email accounts.

The complaint also reveals that Park is not the only subject of the FBI’s investigation into the Lazarus attacks and he likely was not the only individual with access to the analyzed accounts.

Related: French Nationals Arrested for ‘Rex Mundi’ Hacks

Related: Suspected Lizard Squad Hackers Arrested in US, Netherlands

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.