Sergej Khackimullin - Fotolia

Lazarus Group hacker charged in WannaCry, Sony attacks

The Department of Justice charged one Lazarus Group hacker, Park Jin Hyok, for his role in the WannaCry attack, Sony hack, SWIFT banking theft and more.

The Department of Justice has officially charged one member of the North Korean Lazarus Group for his role in the WannaCry attacks, the Sony Pictures breach, theft on the SWIFT banking system and more.

Nathan Shields, special agent for the FBI, filed an affidavit of complaint against the Lazarus Group hacker, Park Jin Hyok, on June 8, 2018, but the charges were made public on Sept. 6.

According to the affidavit, Park was charged with conspiring to commit the following: "unauthorized access to computer and obtaining information, with intent to defraud, and causing damage, and extortion related to computer intrusion" and wire fraud.

"The evidence set forth herein was obtained from multiple sources, including from analyzing compromised victim systems, approximately 100 search warrants for approximately 1,000 email and social media accounts accessed internationally by the subjects of the investigation, dozens of orders issued ... and approximately 85 formal requests for evidence to foreign countries and additional requests for evidence and information to foreign investigating agencies," Shields wrote in the affidavit.

Shields wrote that the affidavit was "made in support of a criminal complaint against, and arrest warrant" for Park, but there is no indication the Department of Justice knows where Park is currently located. The last mention in the affidavit noted Park returned to North Korea in 2014 after spending three years working for North Korean company Chosun Expo in China.

Although Park was the lone Lazarus Group hacker named in the filing, the entire North Korean team was implicated in the 2014 Sony Pictures breach; the 2016 theft of $81 million from Bangladesh Bank via the SWIFT network; the 2017 WannaCry ransomware attack; and "numerous other attacks or intrusions on the entertainment, financial services, defense, technology and virtual currency industries, as well as academia and electric utilities."

"In 2016 and 2017, the conspiracy targeted a number of U.S. defense contractors, including Lockheed Martin, with spear-phishing emails. The spear-phishing emails sent to the defense contractors were often sent from email accounts that purported to be from recruiters at competing defense contractors, and some of the malicious messages made reference to the Terminal High Altitude Area Defense (THAAD) missile defense system deployed in South Korea," the U.S. Attorney's Office for the Central District of California wrote in its press release.

"The attempts to infiltrate the computer systems of Lockheed Martin, the prime contractor for the THAAD missile system, were not successful."

Confirmation of North Korean involvement

Park is the first Lazarus Group hacker to be named and officially charged by the U.S. government, but the Lazarus Group and North Korea have been connected to attacks before.

As far back as December 2014, the FBI stated there was enough evidence to conclude that North Korea was behind the attack on Sony Pictures. And in December 2017, both the U.S. and U.K. governments blamed the WannaCry attacks on North Korea.

The affidavit detailed the use of the Brambul worm, which was malware attributed to the Lazarus Group in a US-CERT security alert issued by the FBI and Department of Homeland Security in May 2018.

However, while the confirmation of North Korean involvement was generally praised by experts, not all were happy that Park was the only Lazarus Group hacker to be named and charged.

Jake Williams, founder and CEO of Rendition Infosec, based in Augusta, Ga., wrote on Twitter that it was a "human rights issue" to charge Park, because the Lazarus Group hacker "likely had zero choice in his actions."

Dig Deeper on Threats and vulnerabilities