Security Experts:

U.S. Charges North Korean Over Lazarus Group Hacks

The U.S. Department of Justice on Thursday announced charges against a North Korean national who is believed to be a member of the notorious Lazarus Group, to which governments and the cybersecurity industry have attributed several high profile attacks.

The suspect is Park Jin Hyok, who according to the DOJ worked for a North Korean government front company known as Chosun Expo Joint Venture and Korea Expo Joint Venture (KEJV). The Democratic People’s Republic of Korea allegedly used this company, which also has offices in China, to support its cyber activities.

The complaint, filed on June 8 in a U.S. District Court in Los Angeles and made public on Thursday, accuses Park and other members of the Lazarus Group of conducting destructive cyberattacks that resulted in “damage to massive amounts of computer hardware and extensive loss of data, money and other resources.”United States charges North Korean hacker of the Lazarus Group

The complaint describes both successful and unsuccessful campaigns of the threat actor, but it focuses on four operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of several U.S. defense contractors, including Lockheed Martin, over the course of 2016 and 2017.

Five Eyes countries and Japan last year officially blamed North Korea for the WannaCry attack.

According to the DOJ, Park worked as a computer programmer at KEJV, which has been linked to DPRK military intelligence. Park allegedly did programming work for the company’s paying clients, while also engaging in malicious activities on behalf of Pyongyang.

The man has been charged with one count of conspiracy to commit computer fraud and abuse, for which he faces up to five years in prison, and one count of conspiracy to commit wire fraud, which carries a sentence of up to 20 years in prison.

“DPRK cyber adversaries represent some of the most active and disruptive threat groups today,” said Dmitri Alperovitch, CTO and co-founder of CrowdStrike. “Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially-motivated criminal activity — often costing organizations millions of dollars in damages. In the past year, we’ve witnessed DPRK commit to expansive cyber operations in support of their ability to service regime priorities and effectuate national interest. These crimes have impacted the global financial system and nearly every sector of the economy.”

“One of the most important steps taken towards achieving effective cyber deterrence is the attribution of these attacks and holding the perpetrators accountable, as we witnessed today by the announcement of the US Department of Justice,” Alperovitch added.

FDD Senior Fellow David Maxwell, who specializes in North Korea’s nuclear and cyber threats, noted that the charges represent a critically important development.

“Although there is a significant time lapse between the hack and this indictment, it shows that the U.S. is tracking the North Korea threat, and that despite the current nuclear diplomacy the U.S. will pursue cyber operatives and hacker/criminals who wish to do the U.S. and the U.S. economy harm,” Maxwell said via email.

“The U.S. has to address cyber threats, though this is just one very small step toward improving cyber defenses. The U.S. has to make it known it will hunt down hackers who do us harm, whether they are individuals or working for state actors such as North Korea,” he added.

This is not the first time the United States has charged foreign nationals over cyberattacks believed to have been sponsored – or at least condoned – by their respective governments. The DOJ in the past years unsealed indictments against Chinese, Russian, Syrian and Iranian nationals.

Related: North Korea-Linked Group Stops Targeting U.S.

Related: U.S. Indicts Chinese For Hacking Siemens, Moody’s

Related: U.S. Cyber Command Launched DDoS Attack Against North Korea

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.