U.S. unseals criminal complaint against North Korean programmer for cyberattacks and intrusions

By Bruce Zagaris
September 14, 2018

This article was originally published in the International Enforcement Law Reporter, www.ielr.com, a highly respected publication covering issues in criminal law, financial crime and more. It is reprinted with the kind permission of attorney, financial crime expert, and ACFCS Advisory Board member Bruce Zagaris. Originally published in the International Enforcement Law Reporter, Volume 4, Issue 8. Republished with permission and appreciation

On September 6, 2018, the U.S. government announced the unsealing of a criminal complaint filed in the U.S. District Court Central District of California (Los Angeles)  charging Park Jin Hyok (aka Jin Hyok Park and Pak Jin Hek), a North Korean citizen, for his participation in a conspiracy to conduct multiple destructive cyberattacks around the world resulting in damage to massive amounts of computer hardware, and the significant loss of data, money and other resources.

According to the complaint Park participated in a government-sponsored hacking team known as the “Lazarus Group” and worked for a North Korean government front company, Chosun Expo Joint Venture (aka Korea Expo Joint Venture or “KEJV”), to support the DPRK government’s malicious cyber actions.

The conspiracy’s malicious activities include the establishment of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh Bank; the 2014 attack on Sony Pictures Entertainment (SPE); and various other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.

Simultaneously, Treasury Secretary Steven Mnuchin announced that the Treasury’s Office of Foreign Assets Control (OFAC) designated Park and KEJV under Executive Order 13722 based on the malicious cyber and cyber-enabled activity alleged in the criminal complaint.

The complaint charges Park with one count of conspiracy to commit computer fraud and abuse, for which there is a maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud, for which there is a maximum sentence of 20 years in prison.

Park was a computer programmer and worked for more than a decade for KEJV, which had offices in China and N. Korea.  It is affiliated with Lab 110, a part of the N. Korean military intelligence.

The conspiracy also engaged in malicious cyber activities, utilizing spear-phishing campaigns, destructive malware attacks, exfiltration of data, theft of funds from bank accounts, ransomware extortion, and propagating “worm” viruses to create botnets.

The complaint describes several of the conspiracy’s alleged malicious cyber activities, both successful and unsuccessful, and in the U.S. and abroad, focusing in particular on four specific examples as follows:

  • In November 2014, the destructive attack on Sony Pictures Entertainment (SPE) in retaliation for the movie “The Interview,” a farcical comedy that depicted the assassination of the N. Korean leader
  • In February 2016, the conspiracy stole $81 million from Bangladesh Bank, accessing the bank’s computer terminals that interfaced with the SWIFT communication system and then sent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of NY to transfer funds from Bangladesh to accounts in other Asian countries.
  • In 2016 and 2017, the conspiracy targeted various U.S. defense contractors, including Lockheed Martin, with spear-phishing emails
  • In May 2017 a ransomware attack known as WannaCry 2.0 infected hundreds of thousands of computers around the work, causing extensive damage, including significantly impacting the UK’s National Health Service.

In connection with the unsealing of the criminal complaint, the FBI and prosecutors furnished cybersecurity providers and other private sector partners detailed information on accounts used by the conspiracy in order to help these partners in their own independent investigative activities and disruptive efforts.