The US has named and indicted a North Korean for the WannaCry and Sony hacks and conspiring with others to steal £62 million in the SWIFT bank hack in Bangladesh.
The move follows on the heels of the UK naming suspects in the Salisbury Novichok poisonings and stepping up calls for global enforcement of a rules-based system of international conduct by nation states.
North Korean programmer, 34-year old Park Jin Hyok, was charged yesterday by the US authorities as a participant and member of the group which created the WannaCry ransomware cyber attack that hit 48 NHS trusts and other organisations in 100 countries last year.
He has been added to the FBI's ‘wanted’ list. The indictment claims that he acted on on behalf of North Korea's Reconnaissance General Bureau (RGB), the country's military intelligence agency, - thus it is not expected that he will be extradited.
Park Jin Hyok
On its website, the UK’s NCA’s National Cyber Crime Unit (NCCU) says that the US charges are the result of critical evidence obtained by the NCCU, which was were able to link this attack to others already being investigated by the FBI, particularly those by the Lazarus Group.
Paul Hoare, senior investigating officer for the NCA’s investigation, said in a press statement that the charges in relation to the WannaCry attacks were the culmination of extended and complex enquiries made by the NCA and law enforcement partners in the United States.
"We have worked closely with the NCA Cyber Security Industry Group in the UK, and their invaluable contribution helped us produce key evidence to support the charges," he added.
The NCA worked with Regional Organised Crime Units (ROCUs), Europol, industry partners and the National Cyber Security Centre (NCSC) and collated and shared evidence with the US Federal Bureau of Investigation (FBI) to support the charges.
The indictment includes both the Sony hacks and the Wannacry attacks, with NCA director general of operations Steve Rodhouse commenting that the ransomware attacks that affected the UK appear to be part of a series, hence it’s right that they are prosecuted together to show the full scale of offending.
In an email to SC Media UK, Eric Chien, VP of security technology and response, Symantec, explained a bit more about how Hyok was identified, saying: "What’s perhaps most interesting about the DOJ indictment is that law enforcement was able to identify Park Jin Hyok as part of the Lazarus group by obtaining emails from his Hotmail and Gmail accounts. Surprisingly, Park used the same email accounts for the legitimate software development work, as well as hacking activity attributed to Lazarus. Park’s resume and image were discovered in his email, which helped law enforcement attribute the hacking activity back to him specifically."
Consequently, he suggest that we’ll likely see Lazarus move away from these free email services, given they’ll have to re-tool their entire infrastructure, including email accounts, passwords, servers, etc now that they know they’re being watched. Chien also noted that: "Lately, the group’s main focus has been on cryptocurrency – most of the attacks from the past year that we believe are related to Lazarus have targeted crypto-related victims (ie ICO providers, cryptocurrency banks, mining pool providers, etc.). It’s unlikely that this indictment will stop the group entirely – judging from their history, such as the Sony breach and WannaCry, they’re brazen and not scared of getting caught.
Rodhouse adds: "The past year has shown that cyber-attacks have real-world consequences and can cause enormous reputational and financial damage to businesses of all sizes. The Wannacry attack highlighted that cyber-crime affects not just the country’s prosperity and security, but also affects our everyday way of life."
Bill Conner, CEO of SonicWall, said: "The Sony breach and WannaCry ransomware attacks are milestones for those in the IT industry, as they mark a day we’ll never forget and a distinct moment when the cyber-war was brought to the attention of those who were unsuspecting to it. Law enforcement agencies and government officials around the world are challenged by the internet’s invisible borders and its nameless perpetrators when it comes to pursuing or charging cyber-criminals.
"While almost four years have passed since the communications giant sent notifications of its attacks, the US Justice Department’s actions are commendable and should serve as a reminder for consumers and organisations alike to remain vigilant."
Sherrod DeGrippo, director of emerging threats at Proofpoint emailed SC Media UK to explain how Lazarus Group's modus operandi typically entails conducting spear phishing attacks with attachments and links to deliver malicious Microsoft Office or Hancom Word documents, sometimes masquerading as ransomware. He adds: Lazarus’ attacks often utilise compromised infrastructure for proxying command and control traffic between victims and their operators. They take advantage of unpatched vulnerabilities in protocols, such as SMB and weak credentials, to gain access to victim networks. This group also exploits supply-chain weaknesses to gain initial access to their target's network and has built custom implants supporting operating systems such as Windows, OS X, Linux, and Android."
He adds that the Lazarus group is still very active, saying: "Most recently we profiled the financially motivated arm of the organisation and their work targeting South Korean point-of-sale infrastructure and, separately, cryptocurrency wallets and exchanges. The Lazarus Group also includes both disruption and espionage arms engaged in ongoing efforts worldwide."