How Gmail and other free email services led US to WannaCry hacking suspect
The justice department has lodged criminal charges against Park Jin Hyok, a North Korean employed by alleged government front company Korean Expo Joint Venture
Washington — Clues found in free email services such as Gmail helped US investigators track down a North Korean hacker charged on Thursday with crimes stemming from the 2014 attack on Sony Pictures Entertainment and the 2017 WannaCry ransomware operation.
The email services were used for routine business as well as for phishing attacks and other crimes by a company identified as the Korean Expo Joint Venture, which is a front group for the North Korean government, according to a justice department complaint filed in Los Angeles on Thursday.
The justice department lodged criminal charges against Park Jin Hyok, a North Korean national who works for the company and allegedly belongs to a group of conspirators known as the Lazarus Group.
The treasury department simultaneously imposed sanctions against Park and his employer.
"The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations," said John Demers, head of the justice department’s national security division.
Sending a resumé
The Korean Expo Joint Venture engaged both in hacking and regular business, working with clients on software and information technology projects and using free email services including Gmail, according to the criminal complaint.
It said a clue that helped investigators break the case came when Park’s purported superior sent his resumé and picture to another company in the course of doing its everyday technology operations.
Investigators accessed about 1,000 email and social media accounts using about 100 search warrants, and used them to piece together a picture of the hackers and their front operation, according to the complaint.
Alphabet’s Google, which operates Gmail, responded to a request for comment by referring to a recent blog post written by Kent Walker, the company’s senior vice-president of global affairs.
Google, Walker wrote, "identifies bad actors, disables their accounts, warns our users about them, and shares intelligence with other companies and law enforcement officials".
Eric Chien, technical director of security response at Symantec, a digital security firm that tracks the Lazarus Group and is cited in the justice department report, said the hackers are likely to pause their activity to retool their email infrastructure.
"The expectation is there will be a bit of a lull, and then they will be right back at it," Chien said in an interview. He said the hackers have "shifted their sights" to cryptocurrency in the past year.
The justice department said the conspirators also commit wire fraud on behalf of the cash-strapped North Korean government.
The Korean Expo Joint Venture operated in China, North Korea and other places, the justice department says in the complaint.
Park, the complaint says, is believed to have returned to North Korea from China in 2014.
The charges and sanctions came amid President Donald Trump’s efforts to negotiate with Kim Jong Un’s regime to give up its nuclear arsenal. But officials underscored that North Korea’s growing cyber offensive capabilities also remain a concern.
"We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions," treasury secretary Steven Mnuchin said. "The United States is committed to holding the regime accountable for its cyber-attacks and other crimes and destabilising activities."
The massive Sony attack was seen at the time as representing a new, aggressive type of hacking operation because it crippled computers, deleted data and released embarrassing internal emails in retaliation for the company’s film, The Interview, a comedy about a CIA plot to kill Kim.
During the 2017 attacks, known as WannaCry, hackers infected computers with malicious software that encrypted data and demanded ransom payments from users to be released.
Park was also cited by US officials as being part of a conspiracy that conducted the fraudulent transfer of $81m from the central bank of Bangladesh in February 2016.
The US government has previously said North Korea was behind the attacks, and North Korea has denied it was involved.