The Opsec Fail That Helped Unmask a North Korean State Hacker

How Park Jin Hyok – charged by the US government for alleged computer crimes for the Sony, Bank of Bangladesh, WannaCry cyberattacks – inadvertently blew his cover via email accounts.

Park Jin Hyok and his colleagues at North Koreas infamous, state-sponsored Lazarus Group hacking team moonlighted on the side as programmers and IT support providers for clients while working abroad in China sometime between 2011 and 2013.
Details disclosed on Sept. 6 of the US Department of Justice criminal charges filed against Park, aka Jin Hyok Park and Pak Jin Hek, show how the North Korean hacker appeared to inadvertently blow his cover by using the same email accounts for both his commercial work and his role in major cyberattacks attributed to Lazarus Group, including the hack of Sony Pictures Entertainment and the Central Bank of Bangladesh.
Park worked for Chosun Expo Joint Venture, a company that the DoJ has identified as a front for the North Korean government. One of the Chosun Expo Gmail accounts associated with Kim was also connected to another Gmail account with a similar handle. In addition, that second account was used for spear-phishing, reconnaissance of victims, and researching hacking methods, according to
the DoJ filing
.
The second Gmail account, under the alias Kim Hyon Woo, was used to set up or access three other email or social media accounts that targeted victims at Sony and Bangladesh Bank. Although the name Kim Hyon Woo was used repeatedly in various email and social media accounts, evidence discovered in the investigation shows that it was likely an alias or cover name used to add a layer of concealment to the subjects activities, the
filing said
.
Using free US email accounts like Gmail and Hotmail left Lazarus Group hackers open to search warrants by US law enforcement, notes Eric Chien, a fellow with Symantecs Security Technology and Response division. There was a lack of opsec on Park and his teams part in how they managed those accounts. And through ... these email addresses, they [the FBI] were able to connect the dots, he says.
FBI investigators discovered connections among various email and social media accounts used by Park, including Facebook.
Park basically blew his cover by cross-contaminating his legitimate security work with his work for the North Korean government, Chien says. Cross-mailing to those email addresses ultimately led to this guys resume, so US officials even got his photo, he says. This was pretty amazing.
But Parks alleged activities represent those of just one of the members of the Lazarus Group team behind the 2014 massive breach and doxing of
Sony
and the $81 million cybertheft at Bangladesh Bank in 2016, as well as the historic and global WannaCry attack in 2017, among other hacks.
Priscilla Moriuchi, director of strategic threat development at Recorded Future, says Park appears to be an active member of the North Korean hacking team. Most likely he probably got caught ... because his opsec was not as strong as others in the group, she says. They were able to build this case against him based on all the mistakes he made.
The weak opsec isnt surprising when it comes to Lazarus Group, though, Chien says. When you look at their attacks, a lot were rudimentary in the very beginning. Theyve definitely evolved and caught up, he says. But on the flip side, theyve always been brazen and unpredictable ... Im not sure they really care if they get unmasked, he says.
Parks unmasking only scratches the surface of Lazarus Group members: Its likely the FBI knows more about other members as well, experts say.
Park was the only individual to whom the DOJ could reliably attribute many of these activities. Many other individuals and teams were involved, making it difficult to comment specifically on Park’s operational security, says Bryan Burns, vice president of threat research & engineering with Proofpoint. The North Korean government works with many teams and loosely connected individuals who conduct cyberattacks on their behalf. Park was the only individual the DOJ could pinpoint given his extensive and lengthy activity.
Overall, security researchers familiar with North Korean hacking operations say the charges basically reiterated many of the details already known about how Lazarus Group operates and targets its victims
.
In a lot of ways, the way they operate that was more explicitly laid out in this [filing] was already well-known, Moriuchi says, such as its uses of MD5 and the groups malware.
But the high volume of indicators of compromise published in the filing was the most eye-popping and illuminating. For me, it was more interesting, the sheer number of indicators released and how we can build on that from a research perspective to really map out the rest of this group, Moriuchi says. It was excellent work on behalf of the FBI and who got it declassified.
Arrest on Paper
A warrant for Parks arrest was issued on June 8 by the US District Court in Central California, and the filing was unsealed and released by the DoJ last week. He faces one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer intrusion.
But the likelihood that Park will ever step foot in a country with a US extradition agreement is slim, so the DoJ charges and possible maximum prison sentence of 25 years exist only on paper right now. In a statement last week, FBI director Christopher Wray said the publicly named charges of Park demonstrate the bureaus goal of naming and shutting down malicious hackers.
According to the DoJ, Park allegedly also had a hand in targeted attacks on US defense contractors in 2016 and 2017, including Lockheed Martin, the main contractor for the Terminal High Altitude Area Defense (THAAD) missile defense system in South Korea. Lazarus Group was ultimately unable to penetrate the Lockheed Martin systems, according to the DoJ.
Related Content:
Lazarus Group Builds its First MacOS Malware
Asian APT Groups Most Active in Q2
8 Nation-State Hacking Groups to Watch in 2018
Matching Wits with a North Korea-Linked Hacking Group
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
The Opsec Fail That Helped Unmask a North Korean State Hacker