U.S. Presses Criminal Charges and Sanctions against North Korean Cyber Operative

Yesterday, the U.S. Treasury Department sanctioned North Korean computer programmer Park Jin Hyok for malicious state-sponsored cyber activity while the Justice Department unsealed criminal charges against Park for the same actions. These are the first hacking-related charges the U.S. has brought against North Korea since January 2015 when Treasury sanctioned several North Korean entities and individuals in response to the Sony Pictures hack. They arrive at a time when U.S.-North Korean nuclear negotiations are struggling to overcome mutual distrust.

Park Jin Hyok faces sanctions and criminal charges for his role in the WannaCry 2.0 ransomware attack in 2017, the cyber theft of $81 million from Bangladesh Bank in 2016, and the Sony Pictures Entertainment hack in 2014. According to the Justice Department, Park was a member of the state-sponsored hacking team known as the “Lazarus Group” that may be affiliated with the North Korean government’s intelligence agency, the Reconnaissance General Bureau (RGB). The Justice Department also found that Park had worked in Dalian, China from 2010 to 2011 and again from 2013 to 2014. These findings provide more conclusive evidence of North Korean computer programmers and hackers operating in China.

Treasury also designated the IT company for which Park worked, Chosun (or Joseon) Expo Joint Venture, which has offices in both China and North Korea. According to the Justice Department, the designated entity served as a front company for a North Korean state-sponsored hacking unit named Lab 110, which may be part of the RGB. Treasury in turn sanctioned Chosun Expo on the grounds that it is a government-controlled entity.

Earlier this week, South Korea’s state-owned Korea Development Bank reported that Chosun Expo may have developed a cryptocurrency exchange platform. This may be connected to the demand for Bitcoin ransom payments during the 2017 WannaCry attack, in which Park and the Lazarus Group played a role. Additionally, Pyongyang’s cyber operators have frequently targeted South Korean cryptocurrency exchanges.

In addition to generating revenue, North Korea’s cyber capabilities broaden Pyongyang’s asymmetric arsenal. For instance, in 2013, North Korean hackers targeted three South Korean banks with a destructive virus that resulted in damages upwards of $800 million. Similarly, in 2014, the Lazarus Group’s attack destroyed 70 percent of Sony Pictures Entertainment’s computers. These destructive capabilities have alarming implications as they could be leveraged as part of a cyber-enabled economic warfare campaign that targets the U.S. and its allies’ economic vitality.

While it remains unclear if North Korea has either the ability or intent to wage a cyber-enabled economic warfare campaign, the U.S. government’s latest actions comprise a worthwhile step toward confronting this threat. The identification of specific individuals, companies, and units responsible for cyber attacks clarifies the threat more effectively than general attributions of responsibility to the RGB. The Trump administration should build on this momentum with more investigations and sanctions to disrupt Pyongyang’s cyber operations.

Moreover, as diplomacy continues between Washington and Pyongyang, these latest sanctions strengthen Washington’s diplomatic leverage and send Kim Jong Un the appropriate message that Washington will continue to hold the Kim family regime accountable for its misdeeds.

Mathew Ha is a research associate at the Foundation for the Defense of Democracies, focused on North Korea. Follow him on Twitter @Matjunsuk.

Follow FDD on Twitter @FDD and follow FDD’s Center on Sanctions and Illicit Finance @FDD_CSIF. FDD is a Washington-based, nonpartisan research institute focusing on national security and foreign policy.