How US authorities tracked down the North Korean hacker behind WannaCry

US authorities put together four years worth of malware samples, domain names, email and social media accounts to track down one of the Lazarus Group hackers.
Written by Catalin Cimpanu, Contributor

Park Jin Hyok

On September 6, the US Department of Justice formally charged a North Korean programmer for some of the biggest cyber-attacks in recent years.

According to a 179-page DOJ indictment, the US believes that Park Jin Hyok, a 34-year-old North Korean, is one of the many individuals behind a long string of malware attacks and intrusions, such as:

Also: Free, easy to use, and available to anyone: The powerful malware hiding in plain sight on the open web

The DOJ says Park was an active member of a government-sponsored hacking team known in the private cyber-security sector as the Lazarus Group.

But in reality, officials say, he was also a government employee working for a government-owned company named Chosun Expo Joint Venture (Chosun Expo hereinafter).

Investigators say that Chosun Expo was founded as a joint venture between the South and North Korean governments, and was meant to be an e-commerce and lottery website.

South Korean officials pulled out of the deal, but the North Korean government continued to manage the company through various individuals, branching out in different online services, such as online gaming and gambling. The company had offices in North Korea and China, and Park was sent to work for many years in the company's Chinese office in the city of Dalian.

There, investigators said he worked under titles of "developer" and "online game developer," listing the ability to code in Java, JSP, PHP, Flash, but also Visual C++, the language in which most Lazarus Group malware was written in.

US officials say that the company was only a front and money-making entity for Lab 110, a component of the DPRK military intelligence apparatus. A report published by an organization of North Korean dissidents living in South Korea, cited in the indictment, identified Chosun Expo as providing "cover for North Korean government officers."

Investigators say Park returned to North Korea in late 2014, shortly before the string of Lazarus Group hacks began.

Also: Inside the early days of North Korea's cyberwar factory

The DOJ indictment, one of the largest of its kind in regards to the number of pages, lists a vast array of email addresses used to register domain names and buy hosting services used in all the hacks.

It also includes IP addresses used to access malware command and control (C&C) servers, social media accounts, and hacked servers that hosted malware used in the attacks.

Officials say they identified email and social media accounts Park used while working at Chosun Expo, and email and social media accounts used by Lazarus Group during its four-year hacking spree.

Investigators especially point out a fake persona named "Kim Hyon Woo" that appears to have links either by IP address or email addresses to Lazarus hacking operations and their victims.


But officials say that despite Park's best efforts to not use his real-world persona, emails, and IP addresses for accessing Lazarus Group infrastructure and hacked servers, he eventually slipped up because he left a trail of evidence linking his real-world accounts to the fake middleman persona:

Connections between PARK's Chosun Expo Accounts and 'Kim Hyon Woo' accounts include shared access to an encrypted .rar archive, saving the 'Kim Hyon Woo' accounts in Chosun Expo Accounts' address book, using read receipts between the two sets of accounts, using common names and monikers, and accessing accounts from common IP addresses, among others.

Officials believe that the online accounts associated with the "Kim Hyon Woo" persona were used by multiple operators, and they are confident that Park was one of them.

Furthermore, because of his programming background, they also believe he was involved in the creation of Lazarus Group malware.

Which one, DOJ officials are not sure. But they did point out that there are countless connections between the several malware strains Lazarus Group operators have used across the years.


The DOJ indictment breaks down several of these connections in their indictment. An example:

Both a WannaCry sample and Trojan.Alphanc used IP address as a command-and-control IP address. That IP address was also a command-and-control address for a sample of malware obtained by the FBI that drops a malware payload in a similar way to how other malware that private cyber security companies have attributed to the Lazarus Group, as well as malware that the subjects used to target Lockheed Martin. On February 29 and March 1, 2016, a North Korean IP Address connected to that IP address. [...] Specifically, this North Korean IP address was used to access the Compromised Web Server, on January 8, 2016; on January 22 and 27, 2016, it also connected to a compromised computer in North Carolina that was infected with malware linked to the attack on SPE; and, on March 10, 2016, it was used to access a Facebook profile that previously had been accessed from North Korean IP Address #2 on December 13, 2015.

There are more of these connections detailed in the indictment, and they build a complex mesh that interconnects all the Lazarus Group infrastructure, then leads to the fake Kim Hyon Woo persona, and then to Chosun Expo accounts known to have been previously operated by Park.

And on top of this, there is also the matter of code reuse, which appears to have happened a lot between the different strains of Lazarus Group malware.

Also: How US companies can defend against cyberattacks from state actors TechRepublic

The most common snippet of reused code is what investigators called the "FakeTLS" data table, a portion of code found in multiple Lazarus malware strains, such as WannaCry, MACKTRUCK (SPE hack), NESTEGG (Philippine Bank hack), Contopee (Philippine Bank and the Southeast Asian Bank hacks), and others.

The FakeTLS data table that the FBI and other investigators found appears to be related to what cyber-security firms have previously identified as the "fake TLS" protocol. This is a custom networking protocol designed by the Lazarus Group hackers that's meant to mimic a TLS connection, but actually uses its own custom encryption scheme to hide data stolen from victims while in transit.


Park is charged with one count of conspiracy to commit computer fraud and abuse, which carries a maximum sentence of five years in prison, and one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison. US officials say they are still working to track down the rest of Park's partners in crime.

The US Department of the Treasury has also imposed sanctions on Park and Chosun Expo.

"As a result of today's action, any property or interests in property of the designated persons in the possession or control of U.S. persons or within the United States must be blocked, and U.S. persons generally are prohibited from dealing with the designated persons," the US Department of the Treasury's Office of Foreign Assets Control (OFAC) said today.

The UK National Crime Agency also helped in the investigation.

The worst cyberattacks undertaken by nation-state hackers

Editorial standards