Skip to main content

An exterior view of the Sony Pictures Plaza building in Culver City, Calif.

Damian Dovarganes/The Associated Press

A computer programmer accused of working at the behest of the North Korean government was charged on Thursday in connection with several high-profile cyberattacks, including the Sony Pictures Entertainment hack and the WannaCry ransomware virus that affected hundreds of thousands of computers worldwide.

Park Jin Hyok, who is believed to be in North Korea, conspired with others to conduct a series of attacks that also stole US$81-million from a bank in Bangladesh, according to the Justice Department’s criminal complaint. The United States believes he was working for a North Korean-sponsored hacking organization.

The U.S. government has previously said North Korea was responsible for the 2014 Sony hack. That attack led to the release of a trove of sensitive personal information about Sony employees, including Social Security numbers, financial records, salary information, as well as embarrassing e-mails among top executives. The hack included four yet-to-be released Sony films, among them Annie, and one that was in theatres, the Brad Pitt film Fury, and cost the company tens of millions of dollars.

Story continues below advertisement

The FBI had long suspected North Korea was also behind the last year’s WannaCry cyberattack, which used malware to scramble data at hospitals, factories, government agencies, banks and other businesses across the globe.

“This was one of the most complex and longest cyberinvestigations the department has taken,” said John Demers, assistant attorney-general for national security.

A computer programmer accused of working at the behest of the North Korean government has been charged in connection with several high-profile cyberattacks, including the Sony Pictures Entertainment hack and the WannaCry ransomware virus. The Associated Press

U.S. officials believe the Sony hack was retribution for The Interview, a comedy film that starred Seth Rogen and James Franco and centred on a plot to assassinate North Korea’s leader, Kim Jong Un. Sony cancelled the theatrical release of the film amid threats to moviegoers but released it online through YouTube and other sites.

A Sony spokeswoman declined comment on Thursday. Attempts by The Associated Press to reach the alleged hacker were not immediately successful. Two Gmail addresses identified in the FBI in the complaint were listed as disabled.

Among the e-mails released in the hack was an exchange between Amy Pascal, then co-chairman of the studio, and The Social Network producer Scott Rudin where they joked about what might be then-president Barack Obama’s favourite movies, listing 12 Years a Slave and films by black comedian Kevin Hart.

The pair apologized. Ms. Pascal left her job months later.

In addition to targeting Sony, hackers sent spear-phishing emails to employees at AMC Theaters, which had planned to screen the movie, and to a British company producing a fictional television serious about a scientist taken prisoner in North Korea, authorities said.

Story continues below advertisement

The hackers used the same aliases and accounts from the Sony attack when they sent spear-phishing e-mails to several U.S. defence contractors, including Lockheed Martin and others in South Korea, officials said.

The criminal complaint, filed in Los Angeles, alleges the hackers committed several attacks from 2014 until 2018. The investigation is continuing.

“The criminal conduct outlined in this case is intolerable,” said Tracy Wilkison, the first assistant U.S. attorney in Los Angeles. “The North Korean-backed conspiracy attempted to crush freedom of speech in the U.S. and the U.K. It robbed banks around the world. And it created indiscriminate malware that paralyzed computers and disrupted the delivery of medical care.”

Cybersecurity experts have said portions of the WannaCry program used the same code as malware previously distributed by the hacker collective known as the Lazarus Group, which is believed to be responsible for the Sony hack.

The indictment said that Mr. Park was on a team of programmers employed an organization called Chosun Expo that operated out of Dalian, China, and that the FBI described as “a government front company.”

A North Korea-registered website bearing that company’s name described Chosun Expo as the country’s “first internet company,” saying it was established in 2002 and employed 20 young graduates from institutions including Kim Il Sung University, Kimcheon Industrial University and Pyongyang Art University.

Story continues below advertisement

A 2015 version of the company’s website said it focused on gaming, gambling, e-payments and image-recognition software. It looked in many ways as though a typical tech company, boasting of its “pioneering” IT talent and customer satisfaction. By July, 2016, internet archival records show, the company dropped the reference to North Korea from its home page.

Sometime later, the site vanished from the web.

E-mails sent to Chosun Expo’s generic e-mail address and to the website’s original registrant, whose name was given as Won Sun Chol, went unreturned.

It is the first time the Justice Department has brought criminal charges against a hacker said to be from North Korea. In recent years the department has charged hackers from China, Iran and Russia in hopes of publicly shaming other countries for sponsoring cyberattacks on U.S. corporations.

In 2014, for instance, the Obama administration charged five Chinese military hackers with a series of digital break-ins at American companies, and last year, the Justice Department charged Russian hackers with an intrusion at Yahoo Inc.

The Treasury Department also added Park Jin Hyok’s name to their sanction list, which prohibits banks that do business in the U.S. from providing accounts to him or Chosun Expo.

It is unlikely that he will be extradited because the U.S. has no formal relations with North Korea and the North Korean government was not notified about the charges.

Associated Press

Report an error
Tickers mentioned in this story
Unchecking box will stop auto data updates
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter