Justice Department announces charges against North Korean in 2014 Sony hack

Sony Pictures Entertainment was hacked in 2014. Above, the Sony Pictures Plaza building in Culver City is shown.
(Damian Dovarganes / Associated Press)

Four years ago, an unprecedented cyberattack against Sony Pictures Entertainment riveted national attention by exposing the deepest secrets of a major Hollywood film and television studio, and sparked a national outcry over issues such as computer security and freedom of speech.

In a major development Thursday, the Justice Department unveiled charges against a North Korean national in the massive assault and provided the most detailed account yet of how a foreign operator was able to cripple a major U.S. company and disable thousands of computers worldwide.

The Justice Department’s newly unsealed criminal complaint charges Park Jin Hyok, a computer programmer allegedly working for a front company on behalf of the North Korean government, with staging the attack.

The 172-page document, which is unusually in-depth for a Department of Justice affidavit, paints a picture of what officials called a “wide-ranging conspiracy” that also involved an $81-million heist from Bangladesh Bank and the creation of the 2017 WannaCry ransomware that did significant damage to Britain’s National Health Service.

“In sum, the scope and damage of the computer intrusions perpetrated and caused by the subjects of this investigation, including Park, is virtually unparalleled,” the affidavit stated.


Sony Pictures Entertainment, owned by Japanese tech giant Sony Corp., declined to comment.

North Korea has denied any involvement.

The new charges against Park come at a politically sensitive time for Trump as his bid to improve relations with North Korea — and rein in its nuclear program — are already flailing.

After declaring June’s Singapore summit with Kim Jong Un a historic breakthrough, Trump acknowledged two weeks ago that scant progress has been made toward the goal of denuclearization and he instructed Secretary of State Mike Pompeo to call off an upcoming meeting with Kim.

On Thursday, Trump tweeted about a report that Kim was recommitting to the denuclearization agreement both leaders signed in Singapore. “Kim Jong Un of North Korea proclaims ‘unwavering faith in President Trump,’” he tweeted. “Thank you to Chairman Kim. We will get it done together.”

The Justice Department action could complicate that effort. It was not immediately clear how Trump viewed the charges and he did not speak or tweet about it Thursday. The president has repeatedly criticized his own attorney general and the Justice Department for actions they have taken, or not taken.

The White House did not immediately respond to a request for comment.

Justice Department officials declined to address why they waited until now to unseal the charges, which were filed in June, just days before Trump’s summit with Kim.

They said that the department would usually inform White House and foreign policy officials that they were seeking such charges.

The U.S. Treasury Department also on Thursday announced sanctions against Park and the North Korean government-backed entity.

It’s unlikely Park, whose last known whereabouts are North Korea, will ever be arrested. The United States does not have an extradition treaty with the isolated authoritarian country. Park is charged with one count of conspiracy to commit computer fraud and abuse, and one count of conspiracy to commit wire fraud.

“It’s mainly symbolic,” said Hanley Chew, a cybersecurity expert at law firm Fenwick & West who worked at the Department of Justice for 13 years. “It’s mainly to send a signal to those countries and hacking communities that these are crimes that the government is willing to prosecute.”

Still, the Justice Department complaint is significant because it lays out the most specific evidence to date of the North Korean government’s involvement in illegally infiltrating Sony and other entities. The Department of Justice’s investigation, which is ongoing, traced email and social media accounts used in “phishing” attempts in multiple attacks. They found links among various aliases, encryption codes, proxy services used to disguise locations, and IP addresses in China and North Korea.

One email account used for the hacking activity was also used by government officials conducting business on behalf of North Korea, said First Assistant U.S. Atty. Tracy Wilkison at a news conference.

“Despite their attempts to cover their tracks, and despite the North Korean government’s claims that it was not involved in these crimes, the ... affidavit details evidence that clearly demonstrates that the North Korean subjects, backed by their government were responsible for these crimes,” Wilkison said.

The Sony hack, which became public in November 2014, was a watershed moment for cybersecurity, marking the best-known computer attack against a U.S. company. North Korea allegedly waged the incursion in retaliation for the company’s planned release of “The Interview,” a satirical comedy about North Korean leader Kim Jong Un, which depicts a fictional assassination attempt against him.

The hackers wiped data from the studio’s servers, exposed the personal information of tens of thousands of people, including current and former employees, and revealed embarrassing emails between executives and filmmakers, leading to management shake-ups.

Sony Pictures, based in Culver City, sparked political outrage when it decided to cancel its release of the film after hackers, calling themselves the Guardians of Peace, threatened movie theaters that planned to show it. The company later released the movie online and in a small number of theaters over the Christmas holiday.

“These were not just attacks against computers,” Wilkison said of the hack. “These were attacks against freedom of speech.”

Top U.S. officials quickly named North Korea as the culprit, and in early 2015 said its military’s Reconnaissance General Bureau was responsible for “overseeing” the cyberstrike. But cybersecurity analysts still were skeptical about how a foreign government could break so deeply into a global company’s computer systems and do so much damage without help from the inside. The complaint does not name other individuals involved.

Park allegedly worked for Chosun Expo Joint Venture, a government front company designed to support the country’s malicious cyberactivities, and was part of North Korea’s state-sponsored hacking team “The Lazarus Group,” the Justice Department said.

He was educated at a North Korean University, is proficient in multiple languages and was an experienced computer programmer, working at the front company for more than 10 years. The front company had offices in North Korea and China and provided programming services to clients worldwide.

Hackers broke into Sony’s servers using “spear-phishing” campaigns, in which criminals send emails meant to replicate real people and companies. They sent emails and messages on social media targeted at people in Sony’s network to trick them into clicking on links that let malicious software download onto their computers, giving them unauthorized access to the network.

According to the complaint, one email sent to a Sony employee on Oct. 15, 2014, purported to be from a University of Southern California sophomore claiming to be interested in working at the company. The hackers even tried to target actors in “The Interview” by posting links on their Facebook pages that purported to contain nude photos of A-list celebrities, but actually directed people to malware. The hackers relied on a type of malware known as a “Brambul” worm that crawls from computer to computer, relaying credentials and victim host information.

Hackers used similar tactics to try to break into the network of AMC Theatres, whose multiplexes were expected to show “The Interview.” The conspiracy additionally targeted a British production company that was producing a fictional show about a nuclear scientist taken prisoner in North Korea.

The Trump administration publicly blamed North Korea for launching the WannaCry ransomware attack in December. The May 2017 cyberassault crippled an estimated 300,000 of the 2 billion Windows computers worldwide, slowing factories, canceling surgeries, eating homework assignments and shuttering gas stations.

Rep. Adam Schiff (D-Burbank), the ranking member of the House Permanent Select Committee on Intelligence, said the charges represent an “important step in countering Pyongyang’s state-sponsored use of cyberattacks and cybertheft, and a warning to others tempted to do the same. The United States must continue to name, shame and prosecute those who attack our country.”

Los Angeles Times Staff writer Eli Stokols contributed to this report.


4:30 p.m.: This article was updated with additional details on the DOJ investigation.

2:30 p.m.: This article was updated with comments from the U.S. attorney’s office.

8:45 a.m.: This article was updated throughout with Times staff reporting.

This article was originally published at 8:05 a.m.