The 'Opsec Fail' That Helped Unmask a North Korean State Hacker

How Park Jin Hyok - charged by the US government for alleged computer crimes for the Sony, Bank of Bangladesh, WannaCry cyberattacks - inadvertently blew his cover via email accounts.

Park Jin Hyok and his colleagues at North Korea's infamous, state-sponsored Lazarus Group hacking team moonlighted on the side as programmers and IT support providers for clients while working abroad in China sometime between 2011 and 2013.

Details disclosed on Sept. 6 of the US Department of Justice criminal charges filed against Park, aka Jin Hyok Park and Pak Jin Hek, show how the North Korean hacker appeared to inadvertently blow his cover by using the same email accounts for both his commercial work and his role in major cyberattacks attributed to Lazarus Group, including the hack of Sony Pictures Entertainment and the Central Bank of Bangladesh.

Park worked for Chosun Expo Joint Venture, a company that the DoJ has identified as a front for the North Korean government. One of the Chosun Expo Gmail accounts associated with Kim was also connected to another Gmail account with a similar handle. In addition, that second account was used for spear-phishing, reconnaissance of victims, and researching hacking methods, according to the DoJ filing.

The second Gmail account, under the alias Kim Hyon Woo, was used to set up or access three other email or social media accounts that targeted victims at Sony and Bangladesh Bank. "Although the name 'Kim Hyon Woo' was used repeatedly in various email and social media accounts, evidence discovered in the investigation shows that it was likely an alias or 'cover' name used to add a layer of concealment to the subjects' activities," the filing said.

Using free US email accounts like Gmail and Hotmail left Lazarus Group hackers open to search warrants by US law enforcement, notes Eric Chien, a fellow with Symantec's Security Technology and Response division. There was "a lack of opsec" on Park and his team's part in how they managed those accounts. "And through ... these email addresses, they [the FBI] were able to connect the dots," he says.

FBI investigators discovered connections among various email and social media accounts used by Park, including Facebook.

Park basically blew his cover by "cross-contaminating" his legitimate security work with his work for the North Korean government, Chien says. "Cross-mailing to those email addresses ultimately led to this guy's resume," so US officials even got his photo, he says. "This was pretty amazing."

But Park's alleged activities represent those of just one of the members of the Lazarus Group team behind the 2014 massive breach and doxing of Sony and the $81 million cybertheft at Bangladesh Bank in 2016, as well as the historic and global WannaCry attack in 2017, among other hacks.

Priscilla Moriuchi, director of strategic threat development at Recorded Future, says Park appears to be an active member of the North Korean hacking team. "Most likely he probably got caught ... because his opsec was not as strong as others" in the group, she says. "They were able to build this case against him based on all the mistakes he made."

The weak opsec isn't surprising when it comes to Lazarus Group, though, Chien says. "When you look at their attacks, a lot were rudimentary in the very beginning. They've definitely evolved and caught up," he says. "But on the flip side, they've always been brazen and unpredictable ... I'm not sure they really care" if they get unmasked, he says.

Park's unmasking only scratches the surface of Lazarus Group members: It's likely the FBI knows more about other members as well, experts say.

"Park was the only individual to whom the DOJ could reliably attribute many of these activities. Many other individuals and teams were involved, making it difficult to comment specifically on Park’s operational security," says Bryan Burns, vice president of threat research & engineering with Proofpoint. "The North Korean government works with many teams and loosely connected individuals who conduct cyberattacks on their behalf. Park was the only individual the DOJ could pinpoint given his extensive and lengthy activity."

Overall, security researchers familiar with North Korean hacking operations say the charges basically reiterated many of the details already known about how Lazarus Group operates and targets its victims. "In a lot of ways, the way they operate that was more explicitly laid out in this [filing] was already well-known," Moriuchi says, such as its uses of MD5 and the group's malware.

But the high volume of indicators of compromise published in the filing was the most eye-popping and illuminating. "For me, it was more interesting, the sheer number of indicators released and how we can build on that from a research perspective to really map out the rest of this group," Moriuchi says. "It was excellent work on behalf of the FBI and who got it declassified."

Arrest on Paper

A warrant for Park's arrest was issued on June 8 by the US District Court in Central California, and the filing was unsealed and released by the DoJ last week. He faces one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer intrusion.

But the likelihood that Park will ever step foot in a country with a US extradition agreement is slim, so the DoJ charges and possible maximum prison sentence of 25 years exist only on paper right now. In a statement last week, FBI director Christopher Wray said the publicly named charges of Park demonstrate the bureau's goal of naming and shutting down malicious hackers.

According to the DoJ, Park allegedly also had a hand in targeted attacks on US defense contractors in 2016 and 2017, including Lockheed Martin, the main contractor for the Terminal High Altitude Area Defense (THAAD) missile defense system in South Korea. Lazarus Group was ultimately unable to penetrate the Lockheed Martin systems, according to the DoJ.

Related Content:

Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading: