Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/21/2018
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

The 'Opsec Fail' That Helped Unmask a North Korean State Hacker

How Park Jin Hyok - charged by the US government for alleged computer crimes for the Sony, Bank of Bangladesh, WannaCry cyberattacks - inadvertently blew his cover via email accounts.

Park Jin Hyok and his colleagues at North Korea's infamous, state-sponsored Lazarus Group hacking team moonlighted on the side as programmers and IT support providers for clients while working abroad in China sometime between 2011 and 2013.

Details disclosed on Sept. 6 of the US Department of Justice criminal charges filed against Park, aka Jin Hyok Park and Pak Jin Hek, show how the North Korean hacker appeared to inadvertently blow his cover by using the same email accounts for both his commercial work and his role in major cyberattacks attributed to Lazarus Group, including the hack of Sony Pictures Entertainment and the Central Bank of Bangladesh.

Park worked for Chosun Expo Joint Venture, a company that the DoJ has identified as a front for the North Korean government. One of the Chosun Expo Gmail accounts associated with Kim was also connected to another Gmail account with a similar handle. In addition, that second account was used for spear-phishing, reconnaissance of victims, and researching hacking methods, according to the DoJ filing.

The second Gmail account, under the alias Kim Hyon Woo, was used to set up or access three other email or social media accounts that targeted victims at Sony and Bangladesh Bank. "Although the name 'Kim Hyon Woo' was used repeatedly in various email and social media accounts, evidence discovered in the investigation shows that it was likely an alias or 'cover' name used to add a layer of concealment to the subjects' activities," the filing said.

Using free US email accounts like Gmail and Hotmail left Lazarus Group hackers open to search warrants by US law enforcement, notes Eric Chien, a fellow with Symantec's Security Technology and Response division. There was "a lack of opsec" on Park and his team's part in how they managed those accounts. "And through ... these email addresses, they [the FBI] were able to connect the dots," he says.

FBI investigators discovered connections among various email and social media accounts used by Park, including Facebook.

Park basically blew his cover by "cross-contaminating" his legitimate security work with his work for the North Korean government, Chien says. "Cross-mailing to those email addresses ultimately led to this guy's resume," so US officials even got his photo, he says. "This was pretty amazing."

But Park's alleged activities represent those of just one of the members of the Lazarus Group team behind the 2014 massive breach and doxing of Sony and the $81 million cybertheft at Bangladesh Bank in 2016, as well as the historic and global WannaCry attack in 2017, among other hacks. 

Priscilla Moriuchi, director of strategic threat development at Recorded Future, says Park appears to be an active member of the North Korean hacking team. "Most likely he probably got caught ... because his opsec was not as strong as others" in the group, she says. "They were able to build this case against him based on all the mistakes he made."

The weak opsec isn't surprising when it comes to Lazarus Group, though, Chien says. "When you look at their attacks, a lot were rudimentary in the very beginning. They've definitely evolved and caught up," he says. "But on the flip side, they've always been brazen and unpredictable ... I'm not sure they really care" if they get unmasked, he says.

Park's unmasking only scratches the surface of Lazarus Group members: It's likely the FBI knows more about other members as well, experts say.

"Park was the only individual to whom the DOJ could reliably attribute many of these activities. Many other individuals and teams were involved, making it difficult to comment specifically on Park’s operational security," says Bryan Burns, vice president of threat research & engineering with Proofpoint. "The North Korean government works with many teams and loosely connected individuals who conduct cyberattacks on their behalf. Park was the only individual the DOJ could pinpoint given his extensive and lengthy activity."

Overall, security researchers familiar with North Korean hacking operations say the charges basically reiterated many of the details already known about how Lazarus Group operates and targets its victims. "In a lot of ways, the way they operate that was more explicitly laid out in this [filing] was already well-known," Moriuchi says, such as its uses of MD5 and the group's malware.

But the high volume of indicators of compromise published in the filing was the most eye-popping and illuminating. "For me, it was more interesting, the sheer number of indicators released and how we can build on that from a research perspective to really map out the rest of this group," Moriuchi says. "It was excellent work on behalf of the FBI and who got it declassified."

Park Jin Hyok
Source: FBI
Park Jin Hyok Source: FBI

Arrest on Paper
A warrant for Park's arrest was issued on June 8 by the US District Court in Central California, and the filing was unsealed and released by the DoJ last week. He faces one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer intrusion.

But the likelihood that Park will ever step foot in a country with a US extradition agreement is slim, so the DoJ charges and possible maximum prison sentence of 25 years exist only on paper right now. In a statement last week, FBI director Christopher Wray said the publicly named charges of Park demonstrate the bureau's goal of naming and shutting down malicious hackers.

According to the DoJ, Park allegedly also had a hand in targeted attacks on US defense contractors in 2016 and 2017, including Lockheed Martin, the main contractor for the Terminal High Altitude Area Defense (THAAD) missile defense system in South Korea. Lazarus Group was ultimately unable to penetrate the Lockheed Martin systems, according to the DoJ.

Related Content:

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Greater Focus on Privacy Pays Off for Firms
Robert Lemos, Contributing Writer,  1/27/2020
Average Ransomware Payments More Than Doubled in Q4 2019
Jai Vijayan, Contributing Writer,  1/27/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20215
PUBLISHED: 2020-01-29
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via a urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because HTTP_ST is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attacker t...
CVE-2019-20216
PUBLISHED: 2020-01-29
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because REMOTE_PORT is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an atta...
CVE-2019-20217
PUBLISHED: 2020-01-29
D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers to execute arbitrary OS commands via the urn: to the M-SEARCH method in ssdpcgi() in /htdocs/cgibin, because SERVER_ID is mishandled. The value of the urn: service/device is checked with the strstr function, which allows an attack...
CVE-2020-8428
PUBLISHED: 2020-01-29
fs/namei.c in the Linux kernel before 5.5 has a may_create_in_sticky use-after-free, which allows local users to cause a denial of service (OOPS) or possibly obtain sensitive information from kernel memory, aka CID-d0cb50185ae9. One attack vector may be an open system call for a UNIX domain socket, ...
CVE-2020-5227
PUBLISHED: 2020-01-28
Feedgen (python feedgen) before 0.9.0 is susceptible to XML Denial of Service attacks. The *feedgen* library allows supplying XML as content for some of the available fields. This XML will be parsed and integrated into the existing XML tree. During this process, feedgen is vulnerable to XML Denial o...