The United States Department of Justice has charged a North Korean programmer for taking part in the attacks as part of its strategy to call out nation-state attackers. While there is no chance of US law enforcement ever making the arrest, the complaint is a way for the government to respond to damaging nation-state sponsored attacks.
The DoJ alleged that a programmer named Park Jon Hyok took part in a number of offensive operations as an employee of Chosun Expo Joint Venture, a North Korean e-commerce, online gaming, and gambling company. The DoJ claimed Chosun Expo was a front for the North Korean government and that it handled a mix of state-sponsored hacking and regular paid IT work. Chosun Expo is believed to be affiliated with North Korean military intelligence, the Reconnaissance General Bureau, which oversees North Korean cyber warfare units, Unit 121 and Lab 110.
Despite a federal warrant for Park’s arrest, there is very little chance that Park will be inside of a U.S. courtroom anytime soon. North Korea, despite recent thawing in diplomatic relations, would have no interest in cooperating with U.S. law enforcement. The federal complaint and warrant is part of the Justice Department’s strategy of naming nation-state attackers as a deterrent to other attackers. These legal maneuvers let prospective attackers know their methods and techniques will eventually be exposed. In some circumstances, the warrants and indictments would impede travel, since the individuals would have to be careful to not go somewhere where U.S. law enforcement can reach.
Just this year, the US has indicted Iranian nationals for targeting universities and Russians military intelligence agents in misinformation campaigns.
The complaint is "an important step in making clear to our adversaries that these kinds of criminal activities are unacceptable," Sen. Mark Warner (Va.), the top Democrat on the Senate Intelligence Committee, said in a statement. "It also points to the need for a clearly thought-out and articulated strategy for deterring and punishing state-sponsored cyberattacks.”
For enterprise defenders, the complaint is a treasure trove of details on the tools and methods used in these attacks, including email addresses used to register domain names and buy online services, aliases used to create social media accounts, and types of phishing lures used.
Tit for Tat
The United States isn’t stopping with the DoJ complaint. The Department of Treasury sanctioned Park and Chosun Expo, as well. “We will not allow North Korea to undermine global cybersecurity to advance its interests and generate illicit revenues in violation of our sanctions,” said Treasury Secretary Steven Mnuchin in a statement. “The United States is committed to holding the regime accountable for its cyberattacks and other crimes and destabilizing activities.”
The House of Representatives passed legislation that would name and sanction hackers who help execute nation-state-sponsored attacks. The Senate Foreign Relations Committee has a companion bill.
The sanctions and the legal charges are important because it shows there are consequences to the attack. But it also raises the spectre of what other countries can do in retaliation. The US has always drawn a thin line between espionage–which everyone engages in–and attacks that go after civilian targets and cause damage–that it claims it doesn’t take part in. But if the Justice Department can charge nationals of other countries for breaching US systems, then there is the risk that nation-states may apply their brand of legal justice to Americans working on counterterrorism-espionage campaigns for the US government.
While Park is the only person named in the complaint, the Justice Department said he is “one of many government-backed individuals suspected of being involved.” Investigators said Chosun Expo is also the home to other members of the Lazarus Group, the hacking entity accused of developing the WannaCry ransomware and using the SWIFT banking system to steal from Bangladesh Bank. The investigation is ongoing to identify other members, and the expectation is that future charges will come in time.
“The complaint charges members of this North Korean-based conspiracy with being responsible for cyberattacks that caused unprecedented economic damage and disruption to businesses in the United States and around the globe,” said First Assistant United States Attorney Tracy Wilkison in a statement.