Feds Charge North Korean Cyber-Operative In Sony Hack, Ransomware Attack

Sep 6, 2018
Originally published on September 13, 2018 2:15 pm

Updated at 6:09 p.m. ET

The Justice Department announced charges Thursday against a North Korean man in connection with a series of infamous cyberattacks, including the 2014 hack of Sony Pictures Entertainment and the WannaCry ransomware that paralyzed computers across the globe.

Park Jin Hyok was part of a hacking group that conducted some of the most destructive recent online attacks in the world, according to a criminal complaint unsealed Thursday.

The malicious activities attributed to Park and his group include the cybertheft of $81 million from the Bangladesh Bank.

"The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations," said Assistant Attorney General for National Security John C. Demers.

The charges were announced as President Trump and his administration negotiate with North Korea to end its nuclear program. It was not immediately clear what effect they might have on those diplomatic efforts — whether, for example, North Korean strongman Kim Jong Un might walk away.

Statement of the charges

Park, 34, worked for a North Korean government front company called the Korea Expo Joint Venture, according to the complaint. But the Justice Department alleges that Park was in fact a member of a hacking team known as the "Lazarus Group," which is says is sponsored by the North Korean government.

Park faces charges that include conspiracy to commit wire fraud. His last known location was North Korea, according to U.S. officials, which means he is unlikely to ever stand trial in the United States.

Still, the allegations against him relate to two of the most destructive cyberattacks in recent years.

The 2014 hack against Sony took place ahead of the studio's release of "The Interview," a comedy about a CIA plot to assassinate North Korean leader Kim.

The hackers stole a cache of emails, which were later publicly released to the embarrassment of studio executives. They also destroyed much of Sony's computer infrastructure.

The Obama administration officially blamed North Korea for the attack and imposed sanctions against the country, but the Park charges are the first brought over the intrusion.

The WannaCry 2.0 attack, meanwhile, took place in 2017 and was stunning in its scale and speed. In essence, WannaCry locked more than 300,000 computers in some 150 countries worldwide and demanded money from victims in order to be unlocked.

It hit the British health care sector particularly hard, compromising computer systems at hospitals and causing chaos for patients and providers.

The attack exploited a vulnerability in old Microsoft Windows software. That vulnerability appears to trace back to a cache of cyber-weapons stolen from the National Security Agency.

Why charge those who won't be tried?

The charges against Park continue a strategy by the U.S. government to generate detailed, legally admissible cases against foreign cyber-attackers even though they're unlikely to see the inside of a U.S. courtroom.

The government also has charged or indicted Russian, Chinese and Iranian hackers.

The charges are seen as one tool the U.S. government can use to try to impose consequences for these sorts of cyberattacks.

"Things will never get better unless there are penalties," said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, D.C.

Lewis added that the U.S. still hasn't figured out what all of those penalties should be.

Senate intelligence committee vice chairman Mark Warner, D-Va., hailed the strategy on Thursday but said Washington has more work ahead in determining ways to try to prevent big cyberattacks before the fact.

"This indictment is the result of years of hard work by the FBI and the Department of Justice, and it is an important step in making clear to our adversaries that these kinds of criminal activities are unacceptable," Warner said. "It also points to the need for a clearly thought-out and articulated strategy for deterring and punishing state-sponsored cyberattacks."

The Trump administration did impose other punitive measures on Park and his employer on Thursday: the Treasury Department says it has sanctioned him and Korea Expo Joint Venture.

Potential effect on nuclear talks

The charges against Park were announced as the Trump administration's nuclear talks with North Korea have sputtered to a near standstill.

On Thursday, the State Department said the new U.S. special envoy for North Korea, Stephen Biegun, will head to the region next week to try to push the negotiations forward.

Before the charges were announced, North Korean's leader Kim reportedly told South Korean officials that he remains committed to denuclearization and still has faith in Trump.

Trump responded on Twitter, thanking Kim for his kind words and promising they will "get it done together."

It's unclear whether the charges against Park will register in those talks. Pyongyang could seize on them--or ignore them, depending on its broader intentions.

"North Koreans will always use whatever they can to their advantage," said Jean Lee, the director of the Korea program at the Wilson Center.

She noted that earlier this year, Pyongyang ignored the State Department's accusation that North Korea was behind the 2017 assassination of Kim's half-brother.

"There was no major fallout then," Lee said. "North Korea is strategic about what it responds to."

Copyright 2019 NPR. To see more, visit https://www.npr.org.


The Justice Department announced charges today against a North Korean man for his alleged role in a string of cyberattacks in the last few years. Perhaps the most notable of those attacks is the one on Sony Pictures back in 2014. NPR justice reporter Ryan Lucas is following this and joins us now with more. Hi, Ryan.


SHAPIRO: First tell us about the suspect.

LUCAS: Well, he's a 34-year-old North Korean computer programmer named Park Jin Hyok. The Justice Department unsealed a criminal complaint against him today. It accuses him of being part of this hacking conspiracy that had a global scale. And it was carried out, according to the Justice Department, on behalf of the North Korean government. It says he worked for a front company but was in fact part of a team of hackers known as the Lazarus Group. And that group carried out cyberattacks against computer networks across the world.

SHAPIRO: What specific attacks does the Justice Department allege he was involved in?

LUCAS: Well, it's an extensive list. It involves attacks against financial institutions, entertainment companies and others. But there are three really big attacks worth talking about. One is the Sony Pictures attack in 2014 that you mentioned earlier. That was in retaliation for a movie that the studio was putting out called "The Interview." You may remember it.


LUCAS: Comedy about a CIA plot to assassinate North Korean leader Kim Jong Un. Hackers stole emails from the studio, released those to the public, to the great embarrassment of Sony executives, and they also damaged Sony's computer systems.

SHAPIRO: And the Obama administration blamed North Korea for that but never actually charged anyone. What else did this hacker allegedly do?

LUCAS: Well, the second is the attempted cybertheft of around $1 billion from Bangladesh Bank. The hackers ultimately were able to make off with a mere $81 million. And then lastly there's something called the WannaCry ransomware attack that was in 2017. That was malware that basically hijacked computers, encrypted all the data on them, demanded money from the victims to unlock the computers, to give them access back to them. This was an indiscriminate attack. This was a really big deal. It infected hundreds of thousands of computers in about 150 countries. And the British National Health Service in particular and hospitals there were hit particularly hard.

SHAPIRO: Yeah, that's a really striking track record for one hacker. This is not the first time the Justice Department has brought charges against a state-backed foreign hacker. Is there any indication that it's actually preventing more people from doing this?

LUCAS: That's a really good question. Park's last known location is North Korea. He's unlikely to face trial in the U.S. at any point in time. And that's been the case with really most of the other charges that the U.S. has brought against alleged state-sponsored hackers. And U.S. officials will acknowledge that, but they say that the government has a long memory. The long arm of U.S. law can sometimes pluck these people from other countries if they travel to the wrong place.

But beyond that, experts say that there's also this sense kind of inside the U.S. government that there have to be consequences for these sorts of cyberattacks. There have to be consequences to try to deter them from happening in the future. And also, experts and U.S. officials say that, for example, China hated it when the U.S. charged Chinese military officials back in 2014 with hacking and say that the Chinese still complain about that. But it's an open question what exactly consequences are going to look like. But again, this is just one tool in kind of the government's toolbox.

SHAPIRO: And briefly, do you expect this to have any impact on the effort to negotiate a nuclear deal with North Korea?

LUCAS: Well, there's been no comment so far from North Korea about the charges. But North Korea's very strategic about what they respond to. They may ignore this if they view that that is in their interests, or they may pounce on it and take a swipe at the U.S. But we've had kind of warm words in the past day or so from Kim Jong Un and President Trump, so maybe there will be momentum back in those talks.

SHAPIRO: NPR's Ryan Lucas, thanks.

LUCAS: Thank you. Transcript provided by NPR, Copyright NPR.