Gmail key to tracking down North Korean Park Jin-hyok who is accused of hacking Sony and spreading WannaCry virus
Free email services were used for routine business as well as for phishing attacks and other crimes by a company identified as the Korean Expo Joint Venture, according to US justice department
Clues found in free email services such as Gmail helped US investigators track down a North Korean hacker charged on Thursday with crimes stemming from the 2014 attack on Sony Pictures Entertainment and the 2017 “WannaCry” ransomware operation.
The email services were used for routine business as well as for phishing attacks and other crimes by a company identified as the Korean Expo Joint Venture, a front group for the North Korean government, according to a justice department complaint filed in Los Angeles on Thursday.
After Singapore medical data hack, Hong Kong’s Department of Health becomes latest cyberattack victim
The department lodged criminal charges against Park Jin-hyok, a North Korean national who works for the company and allegedly belongs to a group of conspirators known as the Lazarus Group. The treasury department simultaneously imposed sanctions against Park and his employer.
“The scale and scope of the cybercrimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” John Demers, head of the justice department’s National Security Division, said.
Sending a resume
The Korean Expo Joint Venture engaged both in hacking and regular business, working with clients on software and information technology projects and using free email services including Gmail, according to the criminal complaint. It said a clue that helped investigators break the case came when Park’s purported supervisor sent his resume and picture to another company in the course of doing its everyday technology operations.
Investigators accessed about 1,000 email and social media accounts using about 100 search warrants, and used them to piece together a picture of the hackers and their front operation, according to the complaint.
Watch: White House says Sony hack was a ‘national security matter’ in 2014
Alphabet Inc’s Google, which operates Gmail, responded to a request for comment by referring to a recent blog post written by Kent Walker, the company’s senior vice-president of Global Affairs. Google, Walker wrote, “identifies bad actors, disables their accounts, warns our users about them, and shares intelligence with other companies and law enforcement officials”.
Eric Chien, technical director of security response at Symantec Corp, a Mountain View, California-based digital security firm that tracks the Lazarus Group and is cited in the justice department report, said the hackers are likely to pause their activity to retool their email infrastructure.
“The expectation is there will be a bit of a lull, and then they will be right back at it,” Chien said. He said the hacking group has “shifted their sights” to cryptocurrency in the last year. The Justice Department said the conspirators also commit wire fraud on behalf of the cash-strapped North Korean government.
The Korean Expo Joint Venture operated in China, North Korea and other places, the justice department said in the complaint. Park, the complaint added, is believed to have returned to North Korea from China in 2014.
The charges and sanctions came amid US President Donald Trump’s efforts to negotiate with Kim Jong-un’s regime to give up its nuclear arsenal. But officials underscored that North Korea’s growing cyber offensive capabilities also remain a concern.
“We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” Treasury Secretary Steven Mnuchin said. “The United States is committed to holding the regime accountable for its cyberattacks and other crimes and destabilising activities.”
The massive Sony attack was seen at the time as representing a new, aggressive type of hacking operation because it crippled computers, deleted data and released embarrassing internal emails in retaliation for the company’s film, The Interview, a comedy about a CIA plot to kill Kim.
During the 2017 attacks, known as WannaCry, hackers infected computers with malicious software that encrypted data and demanded ransom payments from users to be released. Park was also cited by US officials as part of a conspiracy that conducted the fraudulent transfer of US$81 million from the central bank of Bangladesh in February 2016.
The US government has previously said that North Korea was behind the attacks, and North Korea has denied that it was involved.