Federal prosecutors in California unveiled charges Thursday against Park Jin Hyok, a North Korean man allegedly involved in the high-profile 2014 hack of Sony Pictures Studios, the $81 million digital bank heist targeting the Bangladeshi central bank in 2016, and last year’s devastating WannaCry ransomware outbreak.
“The complaint charges members of this North Korean-based conspiracy with being responsible for cyberattacks that caused unprecedented economic damage and disruption to businesses in the United States and around the globe,” said First Assistant United States Attorney Tracy Wilkison in a statement. “The scope of this scheme was exposed through the diligent efforts of FBI agents and federal prosecutors who were able to unmask these sophisticated crimes through sophisticated means. They traced the attacks back to the source and mapped their commonalities, including similarities among the various programs used to infect networks across the globe.”
Park, a programmer who graduated from a Pyongyang’s Kim Chaek University of Technology, worked for a North Korean government-owned company called Chosun Expo Joint Venture. He was stationed for a time in Dalian, China, doing non-malicious programming work for paying clients, according to a complaint filed in the case. He returned to North Korea shortly before the Sony hack, according to the complaint. The company, affiliated with North Korean military intelligence, does a mix of state-sponsored hacking and innocuous paid coding work, according to the complaint.
He and other members of the hacking group, sometimes referred to as the Lazarus Group, allegedly sent spear-phishing messages to their victims, often impersonating potential job applicants, and posted links to malware on Facebook and Twitter. They also used bogus Facebook and LinkedIn accounts with names like John Mogabe and Andoson David to conduct “online reconnaissance” for targeting attacks, according to the complaint.
The hackers also allegedly targeted Lockheed Martin with spearphishing emails, but there’s no evidence they actually gained access to the defense contractor’s systems, according to the complaint. In some cases, the hackers allegedly impersonated an unnamed TV journalist, and in others, they impersonated hiring managers at rival defense contractors.
Park and Chosun Expo, also known as Korean Expo Joint Venture, were also targeted with financial sanctions by the U.S. Treasury Department.