Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/21/2018
04:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

The 'Opsec Fail' That Helped Unmask a North Korean State Hacker

How Park Jin Hyok - charged by the US government for alleged computer crimes for the Sony, Bank of Bangladesh, WannaCry cyberattacks - inadvertently blew his cover via email accounts.

Park Jin Hyok and his colleagues at North Korea's infamous, state-sponsored Lazarus Group hacking team moonlighted on the side as programmers and IT support providers for clients while working abroad in China sometime between 2011 and 2013.

Details disclosed on Sept. 6 of the US Department of Justice criminal charges filed against Park, aka Jin Hyok Park and Pak Jin Hek, show how the North Korean hacker appeared to inadvertently blow his cover by using the same email accounts for both his commercial work and his role in major cyberattacks attributed to Lazarus Group, including the hack of Sony Pictures Entertainment and the Central Bank of Bangladesh.

Park worked for Chosun Expo Joint Venture, a company that the DoJ has identified as a front for the North Korean government. One of the Chosun Expo Gmail accounts associated with Kim was also connected to another Gmail account with a similar handle. In addition, that second account was used for spear-phishing, reconnaissance of victims, and researching hacking methods, according to the DoJ filing.

The second Gmail account, under the alias Kim Hyon Woo, was used to set up or access three other email or social media accounts that targeted victims at Sony and Bangladesh Bank. "Although the name 'Kim Hyon Woo' was used repeatedly in various email and social media accounts, evidence discovered in the investigation shows that it was likely an alias or 'cover' name used to add a layer of concealment to the subjects' activities," the filing said.

Using free US email accounts like Gmail and Hotmail left Lazarus Group hackers open to search warrants by US law enforcement, notes Eric Chien, a fellow with Symantec's Security Technology and Response division. There was "a lack of opsec" on Park and his team's part in how they managed those accounts. "And through ... these email addresses, they [the FBI] were able to connect the dots," he says.

FBI investigators discovered connections among various email and social media accounts used by Park, including Facebook.

Park basically blew his cover by "cross-contaminating" his legitimate security work with his work for the North Korean government, Chien says. "Cross-mailing to those email addresses ultimately led to this guy's resume," so US officials even got his photo, he says. "This was pretty amazing."

But Park's alleged activities represent those of just one of the members of the Lazarus Group team behind the 2014 massive breach and doxing of Sony and the $81 million cybertheft at Bangladesh Bank in 2016, as well as the historic and global WannaCry attack in 2017, among other hacks. 

Priscilla Moriuchi, director of strategic threat development at Recorded Future, says Park appears to be an active member of the North Korean hacking team. "Most likely he probably got caught ... because his opsec was not as strong as others" in the group, she says. "They were able to build this case against him based on all the mistakes he made."

The weak opsec isn't surprising when it comes to Lazarus Group, though, Chien says. "When you look at their attacks, a lot were rudimentary in the very beginning. They've definitely evolved and caught up," he says. "But on the flip side, they've always been brazen and unpredictable ... I'm not sure they really care" if they get unmasked, he says.

Park's unmasking only scratches the surface of Lazarus Group members: It's likely the FBI knows more about other members as well, experts say.

"Park was the only individual to whom the DOJ could reliably attribute many of these activities. Many other individuals and teams were involved, making it difficult to comment specifically on Park’s operational security," says Bryan Burns, vice president of threat research & engineering with Proofpoint. "The North Korean government works with many teams and loosely connected individuals who conduct cyberattacks on their behalf. Park was the only individual the DOJ could pinpoint given his extensive and lengthy activity."

Overall, security researchers familiar with North Korean hacking operations say the charges basically reiterated many of the details already known about how Lazarus Group operates and targets its victims. "In a lot of ways, the way they operate that was more explicitly laid out in this [filing] was already well-known," Moriuchi says, such as its uses of MD5 and the group's malware.

But the high volume of indicators of compromise published in the filing was the most eye-popping and illuminating. "For me, it was more interesting, the sheer number of indicators released and how we can build on that from a research perspective to really map out the rest of this group," Moriuchi says. "It was excellent work on behalf of the FBI and who got it declassified."

Park Jin Hyok
Source: FBI
Park Jin Hyok Source: FBI

Arrest on Paper
A warrant for Park's arrest was issued on June 8 by the US District Court in Central California, and the filing was unsealed and released by the DoJ last week. He faces one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer intrusion.

But the likelihood that Park will ever step foot in a country with a US extradition agreement is slim, so the DoJ charges and possible maximum prison sentence of 25 years exist only on paper right now. In a statement last week, FBI director Christopher Wray said the publicly named charges of Park demonstrate the bureau's goal of naming and shutting down malicious hackers.

According to the DoJ, Park allegedly also had a hand in targeted attacks on US defense contractors in 2016 and 2017, including Lockheed Martin, the main contractor for the Terminal High Altitude Area Defense (THAAD) missile defense system in South Korea. Lazarus Group was ultimately unable to penetrate the Lockheed Martin systems, according to the DoJ.

Related Content:

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
6 Top Nontechnical Degrees for Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/21/2019
Anatomy of a BEC Scam
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15593
PUBLISHED: 2019-11-22
GitLab 12.2.3 contains a security vulnerability that allows a user to affect the availability of the service through a Denial of Service attack in Issue Comments.
CVE-2019-16285
PUBLISHED: 2019-11-22
If a local user has been configured and logged in, an unauthenticated attacker with physical access may be able to extract sensitive information onto a local drive.
CVE-2019-16286
PUBLISHED: 2019-11-22
An attacker may be able to bypass the OS application filter meant to restrict applications that can be executed by changing browser preferences to launch a separate process that in turn can execute arbitrary commands.
CVE-2019-16287
PUBLISHED: 2019-11-22
An attacker may be able to leverage the application filter bypass vulnerability to gain privileged access to create a file on the local file system whose presence puts the device in Administrative Mode, which will allow the attacker to executed commands with elevated privileges.
CVE-2019-18909
PUBLISHED: 2019-11-22
The VPN software within HP ThinPro does not safely handle user supplied input, which may be leveraged by an attacker to inject commands that will execute with root privileges.