North Korean 'spy' charged over NHS cyber attack

Dave Lee
North America technology reporter

Image source, Getty Images
Image caption,
The US and UK said in December that North Korea was responsible for the malware attack

US prosecutors have charged a North Korean man alleged to have been involved in creating the malicious software used to cripple the UK’s National Health Service.

The 2017 incident left NHS staff reverting to pen and paper after being locked out of computer systems.

Park Jin Hyok is said to be linked to the Lazarus Group.

The hacking collective is also blamed for the hack on Sony Pictures in 2014.

The US Department of Justice alleged the North Korean-backed cyber group had caused major damage.

"The scale and scope of the cyber-crimes alleged by the complaint is staggering and offensive to all who respect the rule of law and the cyber norms accepted by responsible nations,” said the Assistant Attorney General for National Security, John Demers.

“The complaint alleges that the North Korean government, through a state-sponsored group; robbed a central bank and citizens of other nations; retaliated against free speech in order to chill it half a world away; and created disruptive malware that indiscriminately affected victims in more than 150 other countries, causing hundreds of millions, if not billions, of dollars’ worth of damage.”

North Korea routinely denies being involved in hack attacks attributed to them.

Mr Park is charged with one count of conspiracy to commit computer fraud and abuse, and wire fraud.

Prosecutors said Mr Park was believed to be in North Korea.

"North Korea won't be handing over this guy any time soon," said Martyn Williams, a North Korea observer and journalist.

"So it likely won't mean much on that level, but it is a symbolic step for the US government to take.

"It helps put meat on the bones of the numerous reports that said North Korea was responsible and is a relatively rare move for the US government."

Fake emails

The attribution of cyber-attacks is often very difficult because of the ability of skilled hackers to hide their tracks.

The 180-page complaint document goes into detail about why US prosecutors believe Mr Park was heavily involved in the targeted action. It attempts to join the dots by linking various social media aliases with email accounts later used to target those in the financial and entertainment industries.

The document includes screenshots of fake emails designed to look like legitimate notes from Facebook, prompting a user to "simply log in again" to verify an account. Following the link would bring the victim to a spoof site designed to covertly collect their credentials.

Another example was a screenshot of an email from a "college student" seeking to send her resume to a Sony Pictures executive - the accompanying link brought the victim to a malicious site.

Not all of the group's work was successful, however. The FBI said it had found evidence of a failed attempt to gain access to defence contractor Lockheed Martin.

British police assisted the FBI with its investigation.

"The collaboration between UK and US law enforcement has been strong and effective," said Steve Rodhouse, head of operations at the National Crime Agency.

"And these charges show that we will not tire in our efforts to identify those who believe they can hide behind a computer and cause havoc across the world, regardless of their motivation or status."

Media caption,
Technology explained: what is ransomware?