The US government has formally accused the North Korean government of being behind the Sony Pictures hack, the WannaCry ransomware that crippled the UK's National Health Service and other organizations, and a series of online bank heists including $81m stolen from Bangladesh's national bank.
The state-sponsored attacks were allegedly carried out by a group of North Korean hackers who worked for a front company called Chosun Expo Joint Venture, the FBI and Department of Justice (DoJ) said at a press conference on Thursday.
They named one of the group - called the Lazarus Group by security companies fighting to combat its actions – and put his name, Park Jin Hyok, and face on an FBI Wanted poster, adding that he is now considered a fugitive from justice.
The US will impose additional sanctions against North Korea as a result of the findings of the investigation, a DoJ spokesperson noted.
North Korea has long been suspected – and accused – of having carried out the Sony hack and being behind the WannaCry ransomware but today those accusations were made formal.
A lengthy 179-page affidavit [PDF] from the special agent in charge of the investigation gives an extensive rundown of how the attacks were tracking back to Hyok, his hacking group, and eventually the North Korean government.
It details how the group used multiple Gmail accounts and went to some lengths to cover their tracks but left a series of electronic breadcrumbs that ultimately led to the hackers and an email account that North Korean government officials were also seen to be using, making the connection to the government.
Officials stressed the global reach of the hacking group's actions, highlighting that over 100 search warrants were issued along with 85 requests to foreign countries for more information.
"The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations," said John Demers, Assistant Attorney General for National Security.
The group targeted entertainment groups and banks and then used the same code to create the WannaCry ransomware that caused global havoc, including crippling the National Health Service in the UK.
The entertainment groups were targeted because of movies that depict the North Korean government unflatteringly. Sony was responsible for The Interview, a fictionalized assassination of North Korea's leader. Its systems were infiltrated through a spear-phishing attack and then personal emails from senior executives were leaked online, causing immense embarrassment. Copies of upcoming movies, including The Interview, were also placed online.
The investigators revealed that cinema chain AMC was also targeted because it was due to show the film, as well as an unnamed British production company that was also working on a film depicting North Korea.
Numerous efforts were made to break into banks started in 2015, it was revealed, with the most successful being the removal of $81m from Bangladesh Bank in February 2016. But other attempts were made across the world with "attempted losses well over $1 billion," the complaints notes.
And the rest
And then countless other attempts were made against Western targets, including hospitals, universities, utility companies, defense contractors, Bitcoin currencies and others.
Investigators noted that the same devices, IP addresses and encryption keys were used repeatedly in these attacks and domain names hard-coded into the malware were under the control of the hackers – fancug.com was just one example.
Nork hackers Lazarus brought back to life by AppleJeus to infect Macs for the first timeREAD MORE
They also discovered that prior to attacks that the hacking team followed and tracked specific individuals at target companies through their social media accounts – effectively engaging in online surveillance – and pulled domain name and business records in an effort to find holes in their systems and figure out the most effective way to spear-phish employees.
In one attack, an email sent to a victim from Facebook alerting them to the fact that their account had been accessed from a different IP address was grabbed by the hackers and then resent with the hyperlink within the email changed from Facebook's website to a domain that they controlled. The victim clicked on what looked like a legitimate link in a legitimate Facebook email and ended up on a webpage that investigators assume installed malware on their computer. Similar efforts were made with Google Drive and any other services that the victims used.
The affidavit goes into extensive detail over how the attacks were tracked back through server logs and other electronic piece of evidence.
The named individual - Park Jin Hyok – often visited China to carry out legitimate computer work, the formal complaint notes, before returning to North Korea to continue his hacking work on behalf of his government. Investigators discovered his CV and tracked his activities.
The US government acknowledged that it is unlikely to get their hands on Park Jin Hyok – his last known location was North Korea and the US does not have an extradition treaty with the dictatorship – but argued it was still important to name him and lodge a formal complaint.
"We have a long memory and are fully prepared for the day when he will be arrested," said a DoJ representative, adding: "It is one thing to name a group and quite another to say we know who did it and name them. The message is: you can't hide from us."
In unrelated news, President Donald Trump unexpectedly praised North Korea's leader just hours before the press conference and the imposition of further sanctions on the country.
"Kim Jong Un of North Korea proclaims 'unwavering faith in President Trump'," the 45th president of the United States tweeted. "Thank you to Chairman Kim. We will get it done together!" ®