Cyber Brief: DOJ's Park Jin Hyok Criminal Complaint and North Korean Cyber Operations

United States of America v. Park Jin Hyok, aka "Jin Hyok Park," aka "Pak Jin Hek," Criminal Complaint

The United States Department of Justice today unsealed a criminal complaint (here) and arrest warrant for North Korean hacker Park Jin Hyok detailing his involvement in numerous cyber operations attributed to the Lazarus Group. Details in this document will likely advance the public’s understanding of how North Korea’s Reconnaissance General Bureau (RGB) conducts operations in cyberspace. In this posting the Cyber Vault presents a selection of documents intended to represent public understanding of the topic at the time of the criminal complaint’s release.​

 

Documents

 

Office of the Director of National Intelligence, Remarks as delivered by DNI James R. Clapper on "National Intelligence, North Korea, and the National Cyber Discussion" at the International Conference on Cyber Security. January 7 2015. Unclassified.

In this speech, Clapper uses an anecdote about a trip to North Korea to argue that a form of cyber deterrence would be appropriate for increasing the cost of North Korean cyber operations. 

Kaspersky Lab, Lazarus Under the Hood, 2017. Not classified.

This report focuses on a group (Lazarus) whose cyber activities go back at least to 2009, and whose malware has been discovered in a number of serious cyber attacks (including the 2014 intrusion into the Sony Pictures computer system in 2014 and a 2013 cyber espionage campaign in South Korea). It reports on the results of the lab's forensic investigations in two geographically dispersed banks.

James R. Clapper, Marcel Lettre, Admiral Michael S. Rogers, Joint Statement for the Record to the Senate Armed Services Committee, "Foreign Cyber Threats to the United States," January 5, 2017. Unclassified.

In their joint statement, the DNI, Under Secretary Defense for Intelligence, and the Director of NSA/Commander, U.S. Cyber Command discuss a variety of consequences of cyber threats - physical, commercial, psychological consequences - as cyber policy, diplomacy, and warfare. In addition, the statement discusses a number of cyber threat actors - nation states (Russia, China, North Korea, Iran), terrorists, and criminals - and responses to cyber threats.

Robin L. Kelly and James A. Himes, U.S. Congress, Letter to Secretary Steven T. Mnuchin, April 6, 2017. Unclassified.

In this letter to the Secretary of the Treasury, two members of Congress note recent reports that the Lazarus group, a hacking operation linked to the North Korean regime, had targeted banks in 18 different countries. In addition to providing more information about North Korean hacking activities, the authors request a briefing on Treasury Department interaction with private sector organizations to counter such activities.

Federal Bureau of Investigation, "Indicators Associated with WannaCry Ransomware," May 13, 2017. Unclassified.

This FBI report provides a summary and technical details with regard to the WannaCry ransomware campaign. It also recommends steps for prevention and remediation.

U.S. Computer Emergency Readiness Team, Alert (TA17-164A), HIDDEN COBRA - North Korea's DDoS Botnet Infrastructure, June 13, 2017. Unclassified.

This alert - intended to help cyber defenders detect malicious cyber activity conducted by the North Korean government (designated HIDDEN COBRA) - contains indicators of compromise, malware descriptions, and network signatures.

Congressional Research Service, North Korean Cyber Capabilities: In Brief, August 3, 2017. Unclassified.

This report surveys North Korea's cyber capabilities, offers potential motivations for North Korea's strategy, and examines four case studies.

National Audit Office of the United Kingdom, Investigation: WannaCry Cyber Attack and the NHS, October 27, 2017. Unclassified.

This report examines the impact of WannaCry on the health sector of the United Kingdom, why the health sector was affected, and the effectiveness of the response.