FBI fingers the Norks it wants to pinch for Sony hack, WannaCry attacks

Cruel Kim's alleged cyber-crew outed in rap sheet

The US government has formally accused the North Korean government of being behind the Sony Pictures hack, the WannaCry ransomware that crippled the UK's National Health Service and other organizations, and a series of online bank heists including $81m stolen from Bangladesh's national bank.

The state-sponsored attacks were allegedly carried out by a group of North Korean hackers who worked for a front company called Chosun Expo Joint Venture, the FBI and Department of Justice (DoJ) said at a press conference on Thursday.

They named one of the group - called the Lazarus Group by security companies fighting to combat its actions – and put his name, Park Jin Hyok, and face on an FBI Wanted poster, adding that he is now considered a fugitive from justice.

The US will impose additional sanctions against North Korea as a result of the findings of the investigation, a DoJ spokesperson noted.

North Korea has long been suspected – and accused – of having carried out the Sony hack and being behind the WannaCry ransomware but today those accusations were made formal.

A lengthy 179-page affidavit [PDF] from the special agent in charge of the investigation gives an extensive rundown of how the attacks were tracking back to Hyok, his hacking group, and eventually the North Korean government.

It details how the group used multiple Gmail accounts and went to some lengths to cover their tracks but left a series of electronic breadcrumbs that ultimately led to the hackers and an email account that North Korean government officials were also seen to be using, making the connection to the government.


Officials stressed the global reach of the hacking group's actions, highlighting that over 100 search warrants were issued along with 85 requests to foreign countries for more information.

"The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations," said John Demers, Assistant Attorney General for National Security.

The group targeted entertainment groups and banks and then used the same code to create the WannaCry ransomware that caused global havoc, including crippling the National Health Service in the UK.

The entertainment groups were targeted because of movies that depict the North Korean government unflatteringly. Sony was responsible for The Interview, a fictionalized assassination of North Korea's leader. Its systems were infiltrated through a spear-phishing attack and then personal emails from senior executives were leaked online, causing immense embarrassment. Copies of upcoming movies, including The Interview, were also placed online.

The investigators revealed that cinema chain AMC was also targeted because it was due to show the film, as well as an unnamed British production company that was also working on a film depicting North Korea.

Numerous efforts were made to break into banks started in 2015, it was revealed, with the most successful being the removal of $81m from Bangladesh Bank in February 2016. But other attempts were made across the world with "attempted losses well over $1 billion," the complaints notes.

And the rest

And then countless other attempts were made against Western targets, including hospitals, universities, utility companies, defense contractors, Bitcoin currencies and others.

Investigators noted that the same devices, IP addresses and encryption keys were used repeatedly in these attacks and domain names hard-coded into the malware were under the control of the hackers – fancug.com was just one example.

Shutterstock pickpocket

Nork hackers Lazarus brought back to life by AppleJeus to infect Macs for the first time


They also discovered that prior to attacks that the hacking team followed and tracked specific individuals at target companies through their social media accounts – effectively engaging in online surveillance – and pulled domain name and business records in an effort to find holes in their systems and figure out the most effective way to spear-phish employees.

In one attack, an email sent to a victim from Facebook alerting them to the fact that their account had been accessed from a different IP address was grabbed by the hackers and then resent with the hyperlink within the email changed from Facebook's website to a domain that they controlled. The victim clicked on what looked like a legitimate link in a legitimate Facebook email and ended up on a webpage that investigators assume installed malware on their computer. Similar efforts were made with Google Drive and any other services that the victims used.

The affidavit goes into extensive detail over how the attacks were tracked back through server logs and other electronic piece of evidence.

The named individual - Park Jin Hyok – often visited China to carry out legitimate computer work, the formal complaint notes, before returning to North Korea to continue his hacking work on behalf of his government. Investigators discovered his CV and tracked his activities.

Long memory

The US government acknowledged that it is unlikely to get their hands on Park Jin Hyok – his last known location was North Korea and the US does not have an extradition treaty with the dictatorship – but argued it was still important to name him and lodge a formal complaint.

"We have a long memory and are fully prepared for the day when he will be arrested," said a DoJ representative, adding: "It is one thing to name a group and quite another to say we know who did it and name them. The message is: you can't hide from us."

In unrelated news, President Donald Trump unexpectedly praised North Korea's leader just hours before the press conference and the imposition of further sanctions on the country.

"Kim Jong Un of North Korea proclaims 'unwavering faith in President Trump'," the 45th president of the United States tweeted. "Thank you to Chairman Kim. We will get it done together!" ®

Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022