The announcement earlier this month that the US was laying charges against a North Korean man, Park Jin Hyok, for the role he played, according to the FBI, in cyber attacks including the 2014 Sony Pictures hack and last year’s WannaCry virus, has been met with mixed reactions from the cybersecurity and hacker community.
According to the FBI’s investigation, Park is a member of the infamous North Korean hacker unit known as Lazarus Group, thought to be controlled by North Korea’s government intelligence agency, the Reconnaissance General Bureau.
The story is a strange fusion of geopolitics, crime and espionage, and has left the international community struggling with how to respond to North Korean cyber operations. Although there is broad agreement that Lazarus Group should be held responsible for its actions, the debate breaks down over whether those actions should be treated as political, military or purely criminal, and whether it is ethical to hold Park individually accountable for actions he may have had little or no choice in.
Former NSA hacker Jake Williams has called it a human rights issue, saying that the US should be focussing on the North Korean regime rather than targeting an individual living under a violently authoritarian regime.
“When I hacked for the U.S. government, I was following lawful orders in the same way that any other nation’s government hacker is following. I had a choice in my participation in government hacking operations. Those involved in charging Park have a choice about whether to participate in these actions. Park didn’t have a choice. The hacks against Sony (and many others) are definitely wrong, but charging Park (or any other government hacker for that matter) won’t solve the larger problem,” Williams writes.
Many others have welcomed the decision, however, arguing that increasingly aggressive North Korean cyber operations demand a strong response from the West.
“One of the most important steps taken towards achieving effective cyber deterrence is the attribution of attacks and holding the perpetrators accountable, as we witnessed by the announcement of the US Department of Justice,” said Dmitri Alperovitch, chief technology officer and co-founder of cybersecurity company CrowdStrike — which has been tracking Lazarus Group’s operations for a number of years.
It is unlikely that Park (who is presumably somewhere in North Korea and unlikely to be taking a holiday anywhere with an extradition treaty with the US any time soon) will ever see the inside of a US courtroom. However, the indictment itself serves to send an important message both to North Korea and to the international community, according to Shea Cotton, a research associate at the James Martin Centre for Nonproliferation Studies and creator of the North Korea Missile Test Database.
“By filing and releasing that criminal complaint, the US is providing a definitive narrative behind a series of fairly damaging cyber-attacks. I will concede that a criminal complaint may not have been the ideal vehicle for telling that narrative, but I think it’s good enough,” said Cotton.
“It serves as a way for the US to delegitimize certain actions carried out by the DPRK government. In effect, it says to North Korea and other states that the US does not consider cyberattacks like these to be legitimate behaviour of states and so we are going to treat it like we would any other crime.”
Speaking about the spread of influence of North Korean hackers, Alperovitch said “[North Korean] cyber adversaries represent some of the most active and disruptive threat groups today.”
“Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially-motivated criminal activity — often costing organizations millions of dollars in damages.”
In addition to the hacking of Sony Pictures, Lazarus Group is also believed to be responsible for the massive WannaCry ransomware attack that crippled computer systems in over 150 countries in 2017, including shutting down hospital IT systems and inflicting an estimated US$8 billion in damages globally.
While causing chaos for enemies in the West may have been a bonus, the main goal for Lazarus Group is making money for the regime. It is believed that the North Korean government relies on a steady stream of revenue from organised crime, in everything from the drug trade to counterfeit currency. Cybercrime is playing an increasingly important role in North Korea’s bottom line, including funnelling money to military projects. The group has hacked banks all over the world, including stealing $81 million from Bangladesh’s central bank in 2016 (they were aiming for a billion, but were caught out by a typo). More recently they have been hitting cryptocurrency exchanges, particularly in South Korea.