santiago silver - Fotolia
A 34-year-old North Korean has been named by US authorities as being involved in the 2017 WannaCry cyber attack, which affected the NHS and many other organisations across the UK and more than 100 other countries.
In December 2017, the UK and US governments officially blamed North Korea for the WannaCry attacks.
Jin Hyok Park has been charged by the US as a participant and member of the group which created the WannaCry ransomware and conducted cyber intrusions against multiple victims in the entertainment and financial sectors, including the 2014 cyber attack on Sony Pictures Entertainment.
Park ostensibly worked as a programmer for Chosun Expo, but US officials believe the firm is a front for the North Korean government and that Park actually works for North Korea’s Reconnaissance General Bureau, an intelligence agency, The New York Times reports.
The US charges relating to the WannaCry attack are the result of critical evidence obtained by the National Cyber Crime Unit (NCCU) of the UK’s National Crime Agency (NCA), who were able to link this attack to others already being investigated by the FBI.
The NCA has been leading the UK’s criminal investigation since the WannaCry attack. Working with Regional Organised Crime Units (ROCUs), Europol, industry partners and the National Cyber Security Centre (NCSC), the NCA has collated and shared evidence with the FBI to support the charges against Park.
WannaCry affected 48 NHS trusts across the UK, but this was not a deliberate act against the NHS, as organisations in more than 100 countries were impacted.
Paul Hoare, senior investigating officer for the NCA’s investigation, said the charges against Park are the culmination of “extended and complex enquiries” made by the NCA and law enforcement partners in the US.
“We have worked closely with the NCA Cyber Security Industry Group in the UK, and their invaluable contribution helped us produce key evidence to support the charges,” he said.
NCA director general Steve Rodhouse said the WannaCry attacks were part of a series of attacks. “It’s right that they are prosecuted together to show the full scale of offending.
“The collaboration between UK and US law enforcement has been strong and effective and these charges show that we will not tire in our efforts to identify those who believe they can hide behind a computer and cause havoc across the world, regardless of their motivation or status.
“The past year has shown that cyber attacks have real-world consequences and can cause enormous reputational and financial damage to businesses of all sizes. The WannaCry attack highlighted that cyber crime affects not just the country’s prosperity and security, but also affects our everyday way of life.
“The distinction between nation states and criminal groups in terms of cyber crime is becoming frequently more blurred and today’s charges are a significant step forward in our investigation,” he said.
The charges against Park mean he is listed internationally as “wanted” and will therefore mean he will be unable to travel outside North Korea without the risk of being arrested.
The US has also added Park to the Treasury Department’s sanctions list, which means no financial institution that does business in the US can do business with or provide accounts to Park or Chosun Expo.
The sanctions are unlikely to have much effect on Park, according to The New York Times, but quotes former US attorney David Hickton as saying: “The currency of cyber hackers, whether individuals or nation states, is their anonymity. Unmasking them has value in and of itself.”
The charges against Park are detailed in a 174-page criminal complaint by the US Department of Justice about a team of hackers for North Korea’s intelligence agency that has been linked with WannaCry, the Sony Pictures hack and the theft of $81m from the Bangladesh central bank as part of a scheme to undermine institutions around the world and steal millions in cash.
According to the complaint, Park and the rest of the group operate in many cases out of China and other Asian nations to carry out the attacks that appear to be mainly motivated by North Korea’s continuing need for cash. The complaint alleges some cyber attacks may be driven by North Korea’s desire to control US corporate behaviour through fear and to sow chaos.
“The North Korean government, through a state-sponsored group, robbed a central bank and citizens of other nations, retaliated against free speech to chill it half a world away, and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions – if not billions – of dollars’ worth of damage,” John Demers, head of the US justice department’s national security division, said in a statement.
“These charges will send a message that we will track down malicious actors no matter how or where they hide,” he added.
Sony Pictures attack
North Korea is believed to have broken into Sony Pictures Entertainment’s computer systems in 2014 in retaliation to the company’s production of The Interview, a film that mocked the North Korean leader and depicted a plot to assassinate him.
The attack wiped out 70% of the studio’s computer capability, erasing all the data on about half of the company’s personal computers and more than half of its servers, effectively crippling operations.
According to the complaint, Park and the other North Korean hackers would go on to engage in cyber attacks around the globe, including the attacks on the Bangladesh Bank and WannaCry.
The US Justice Department said the investigation is continuing, adding that the indictment took years to put together because it covers multiple hacking campaigns and the government cannot use classified information when it brings a criminal case against a nation-state.
An active and disruptive threat
According to Dmitri Alperovitch, chief technology officer and co-founder of security firm CrowdStrike, North Korean cyber adversaries represent some of the most active and disruptive threat groups today.
“Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially motivated criminal activity – often costing organisations millions of dollars in damages.
“In the past year, we’ve witnessed North Korea commit to expansive cyber operations in support of their ability to service regime priorities and effectuate national interest. These crimes have impacted the global financial system and nearly every sector of the economy.
“One of the most important steps taken towards achieving effective cyber deterrence is the attribution of these attacks and holding the perpetrators accountable, as we witnessed today with the announcement of the US Department of Justice,” he said.
Bill Conner, CEO of cyber security company SonicWall, said the Sony attack and WannaCry ransomware attacks are milestones in the IT industry and brought the cyber war being waged by North Korea to the attention of many for the first time.
“Law enforcement agencies and government officials around the world are challenged by the internet’s invisible borders and its nameless perpetrators when it comes to pursuing or charging cyber criminals,” he said.
A reminder to remain vigilant
Conner said the US Justice Department’s actions are commendable and should serve as a reminder for consumers and organisations alike to remain vigilant.
“In today’s connected world, it is irresponsible to operate online without strict security standards. Total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks, as well as the securing IoT [internet of things] devices to prevent tampering and unauthorised access.”
Benjamin Read, senior manager, cyber espionage analysis at FireEye, said the complaint describing a North Korean national’s role in a wide range of intrusion activity is consistent with FireEye’s analysis of both the scope and attribution of this activity.
“While we do not have insight into all of the incidents described in the complaint, our analysis concurs with the conclusion that the actors responsible for multiple financially motivated intrusions, the WannaCry ransomware and many of the other incidents are linked by shared development resources.
“FireEye has observed these malicious operations continuing at a high pace over the last two years and impacting numerous organisations,” he said.