US Authorities track down the WannaCry hacker
US Authorities have this week formally charged a North Korean programmer with some of the largest cyber-attacks that have occurred in the last few years, of which also the WannaCry ransomware.
In a 179-page list of charges, the United States have accused the 34-year-old North Korean, Park Jin Hyok with several cyber-attacks such as the WannaCry ransomware; the breach on Sony Pictures Entertainment; the Bangladesh Central Bank cyberheist; breaches at the US movie theatre chains AMC Theatres and Mammoth Screen and hacks of banks all over the world from 2015 to 2018.
According to media reports, the Department of Justice said that Park was an active member of the Lazarus Group which is a government-sponsored hacking team which is known in the private cyber-security sector. However, Government officials are saying that Park is also a government employee working for the Chosun Expo Joint Venture. This venture is said to be founded between the North and the South Korean governments and had to be an e-commerce and lottery website.
When the South Korean government pulled out of this venture, the North Korean Government decided to continue managing the company, with various individuals branching in different online services related to gambling and online gaming. Park was working for many years in the Chinese office in the city of Dalian, where he worked as a developer and as an online game developer. He was listed to be able to code in Java, JSP, PHP, Flash and using Visual C++, which is the language in which most of the Lazarus Group malware was written in. According to US officials, this company was used as a cover-up for Lab 110 which is part of the military intelligence of the Democratic People’s Republic of Korea.
The list of charges that has been presented by the Department of Justice is one of the largest in terms of number of pages and lists various email addresses that were used to register domain names and to buy hosting services which were used for all the hacks. The list also includes the IP addresses that were used to access the malware command and control servers, the social media accounts and the hacked servers which were used to host the malware used in the cyber-attacks.
The American officials have also identified the email and social media accounts used by Park while working at Chosun Expo and the email and social media accounts used by the Lazarus Group during the period of the cyber-attacks.
From the investigations that have been ongoing for the last four years, officials have discovered that although Park tried to use fake personas, emails and IP addresses to access the Lazarus Group servers, he still failed because he left evidence of his real accounts. These included shared access to an encrypted .rar archive, saving of fake persona accounts in the Chosun Expo accounts’ address book, common names used in different accounts and access to accounts from common IP addresses.
From this evidence, the investigators could conclude that there were multiple operators using this fake persona, of whom Park was one of them. Due to his background in programming, it is also believed that he was involved in the creation of the malware.
In the list of charges, there are several examples of samples where different malware strains use the same IP addresses and build up a mesh of interconnections within the Lazarus Group infrastructure.
Park is being charged with conspiracy to commit computer fraud and abuse. Such charges carry a maximum of 5 years in prison. He is also charged of wire fraud, with a maximum sentence of 20 years of prison.