The Trump administration on Thursday disclosed new intelligence information on North Korean cyber attacks, including the attack on Sony, theft of $81 million from a Bangladesh bank, and attempted hacking of defense contractor Lockheed Martin.
The leader behind the North Korean cyber activities was identified in a criminal complaint as Park Jin Hyok, head of a North Korean government hacking cell that also carried out the ransomware attack known as WannaCry, and hacks against U.S. defense contractors, university faculty, technology companies, virtual currency exchanges, and U.S. electric utilities.
Park operated with a team of North Korean government hackers mainly from Dalian, China, at a North Korean front company called Chosen Expo Joint Venture, a computer programming and information technology company that did work for clients around the world.
"In sum, the scope and damage of the computer intrusions perpetrated and caused by the subjects of this investigation, including Park, is virtually unparalleled," said FBI Agent Nathan P. Shields in an affidavit submitted to a federal magistrate in Los Angeles.
The North Korean hackers also targeted defense contractor Lockheed Martin in an apparent bid to gain information about the Terminal High Altitude Area Defense, or THAAD, anti-missile system that was slated for deployment in South Korea.
"Evidence collected by the FBI indicates that spear-phishing emails were sent to various employees of defense contractors at various times through 2016 and 2017, at least some of which contained explicit references to THAAD," the complaint states.
The FBI alerted Lockheed to the hacking attempt and said there is no evidence any company information was compromised.
Other aerospace companies in the United States and Israel were also targeted in the spear-phishing email attempts.
The Sony hack took place in November 2014 and coincided with release of the comedy film The Interview and was aimed at preventing the movie company from releasing the film that included unflattering portrayals of North Korean dictator Kim Jong Un.
The cyber attack included the theft of unreleased films and documents revealing salaries of film stars and sensitive company communications. The attack also damaged Sony's computer network, costing millions of dollars to repair.
The complaint revealed that the same North Koreans behind the Sony hack carried out the theft in February 2016 of $81 million from the state Bangladesh Bank. It was the largest successful cyber heist of a financial institution.
The North Koreans also attempted similar unsuccessful online bank thefts between 2015 and 2018, worth an estimated $1 billion.
Separately, the Treasury Department announced the imposition of financial sanctions on Park, who was named a specially designated national, a category designed to make it illegal for any dollar-based financial institution to conduct business with him.
Park, 34, used several aliases and worked for a Chosen Expo first in China and later in North Korea. The company is affiliated with the North Korean government hacking unit called Lab 110.
"We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions," Treasury Secretary Steven Mnuchin said in a statement.
"The United States is committed to holding the regime accountable for its cyber attacks and other crimes and destabilizing activities."
"This group’s actions are particularly egregious as they targeted public and private industries worldwide – stealing millions of dollars, threatening to suppress free speech, and crippling hospital systems," FBI Director Christopher Wray said. "We’ll continue to identify and illuminate those responsible for malicious cyberattacks and intrusions, no matter who or where they are."
On Capitol Hill, Sen. Ben Sasse (R., Neb.) praised the action.
"Good. It's been four years since North Korea's petty little despot hacked Sony Pictures because he didn't like a movie that a free and open society produced," Sasse said.
"It’s been a year and half since he launched a ransomware attack that hit hundreds of thousands of computers across the globe," he added. "Kim showed the world both how small he was and how capable his cyber soldiers can be. Cyber war gives outsized opportunities to North Korea and it's important to push back."
Park was charged with conspiracy to commit wire fraud. It was not disclosed where he is located. However, he is presumed to be in North Korea.
Park and other co-conspirators conducted the cyber attacks from North Korea, China, and other places, according to court documents.
The sanctions block any assets in the United States and prohibit financial transactions with Park or his front company.
"North Korea has demonstrated a pattern of disruptive and harmful cyber activity that is inconsistent with the growing consensus on what constitutes responsible state behavior in cyberspace," Treasury said in announcing the sanctions.
"Our policy is to hold North Korea accountable and demonstrate to the regime that there is a cost to its provocative and irresponsible actions."
Investigators were able to track down the hackers by tracing their origin to a segment of some 1,024 internet protocol addresses assigned to North Korea.
The hackers utilized a malware called the Brambul worm that allowed them to hop from multiple computers infected by the malware.
Also used were "proxy" internet services that allowed the North Koreans to obscure their identities.
The methods used in the attacks included pre-attack reconnaissance – penetrating networks and studying their architecture – and spear phishing, the use of fraudulent emails to trick computer users into clicking on a malicious Internet link.
The sophisticated operation involved the use of false websites for Facebook and Google to fool unsuspecting computer users into downloading malware that gave the North Koreans access.
Regarding the movie The Interview, the FBI said the North Koreans stole a copy of film but instead of releasing it on the internet, the copay was "rendered inoperable" in a bid to prevent release.
Other stolen Sony films were released on the internet.
The bank cyber heist in Bangladesh involved transferring the funds to accounts in the Philippines then laundered through multiple bank accounts, a money remitting business, and casino junkets.
Regarding the WannaCry ransomeware attack that disrupted computer networks around the world, the complaint states that forensic analysis linked that attack to hackers who carried out the Sony and Bangladesh Bank attacks and the targeting of U.S. defense contractors.
The front company linked to the North Korean hacking, Chosen Expo, was originally a joint venture between North Korea and South Korea created under a Korean e-commerce and lottery website.
South Korea eventually pulled out of the venture and North Korea continued the company that is known to supply various items and services, including software and gambling-related products.