Federal prosecutors in Los Angeles announced criminal charges Thursday against a North Korean national who allegedly led multiple government-sponsored cyberattacks, including the 2014 hacking of Sony Pictures Entertainment that led to the release of thousands of studio emails and financial documents.
Park Jin Hyok, a computer programmer whose whereabouts were not immediately known, worked for a company known as Korea Expo Joint Venture, which prosecutors contend is a front for a North Korean government-led hacking operation. In addition to the attack on Sony — which was in retaliation for the studio’s release of the comedy “The Interview,” about a fictional assassination plot against North Korean leader Kim Jong-un — the hacking team also allegedly orchestrated the 2016 theft of $81 million from Bangladesh Bank and created the WannaCry 2.0 ransomware virus, according to the U.S. Attorney’s Office.
The criminal complaint against Park was filed June 8 — four days prior to the meeting between U.S. President Donald Trump and Kim in Singapore — in U.S. District Court in Los Angeles, but was publicly announced Thursday at a press conference downtown. Prosecutors allege Park was a member of a hacking team known as the “Lazarus Group” that engaged in so-called “spear-phishing” hacks, malware attacks, bank account thefts, ransomware extortion and the spreading of “worm” viruses.
“Members of the conspiracy are responsible for some of the most damaging and well-known computer intrusions in history — including the cyberattack targeting Sony Pictures, the cyberheist from Bangladesh Bank and creating the WannaCry ransomware,” First Assistant U.S. Attorney Tracy Wilkison said.
“Despite their attempts to cover their tracks — and despite the North Korean government’s claims that it was not involved in the attacks — the 172-page affidavit details evidence that clearly demonstrates that the North Korean subjects, backed by their government, were responsible for these crimes,” Wilkison said.
Park allegedly worked with the Korea Expo Joint Venture for more than a decade. Prosecutors said the firm had offices in China and North Korea and was affiliated with “Lab 110,” an arm of North Korean military intelligence.
The Sony cyberattack in 2014 was attributed at the time to a group calling itself “Guardians of Peace.” The hackers demanded that Sony cancel the release of “The Interview,” starring Seth Rogen and James Franco, and threatened violence against theaters that showed the film, prompting many cinemas to cancel engagements of the movie. Sony eventually opted not to release the film in theaters, releasing it instead via digital downloads.
The hackers made public thousands of emails of Sony executives, including some embarrassing and racially insensitive exchanges that ultimately led to the resignation of studio head Amy Pascal.
Park is charged with one count of conspiracy to commit computer fraud and abuse, which carries a maximum five-year prison sentence, and one count of conspiracy to commit wire fraud, with a sentence of up to 20 years in prison.
Park’s age and whereabouts were not immediately known, but officials said they believe he had recently visited China. While there is no extradition treaty between the U.S. and North Korea, the Justice Department “has a long arm and a long memory,” Wilkison said.
The multi-year investigation, which involved interviews of more than 200 people and some 85 formal requests for evidence and information from foreign countries, was exposed by tracing the attacks and mapping their commonalities, including similarities among the various computer programs used to infect networks across the globe, Wilkison said.
The U.S. Attorney’s Office said that the FBI identified a narrow band of IP addresses assigned to North Korea — and traced to some of the attacks — which Park and his associates used to access their email and social media accounts.
“One email account used by the conspirators for malicious cyber activity was also used by North Korean government officials to conduct business on behalf of North Korea,” Wilkison alleged.
Along with Sony Pictures, two other entertainment companies were targeted around the same time. Hackers sent spear-phishing messages to employees of the AMC Theatres chain — which was planning to screen “The Interview” across the country — seeking unauthorized access to sensitive information. A U.K. company that was producing a fictional series involving a British nuclear scientist taken prisoner in North Korea was also hit by the same email campaign, federal prosecutors said.
“These were not just attacks against computers — they were attacks against freedom of speech,” Wilkison said.
The indictment further alleges that Park and his associates developed the WannaCry ransomware virus that spread throughout the world last year, causing serious damage to thousands of computers, including at Britain’s National Health Service.
Also Thursday, the U.S. Department of the Treasury’s Office of Foreign Assets Control announced sanctions blocking any dealings with Park and KEJV.
“We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” Treasury Secretary Steven Mnuchin said in a statement. “The United States is committed to holding the regime accountable for its cyber-attacks and other crimes and destabilizing activities.”