PARK JIN HYOK, Also Known As ("Aka") "Jin Hyok Park," Aka "Pak Jin Hek," Case Fl·J 18 - 1 4 79

PARK JIN HYOK, Also Known As ("Aka") "Jin Hyok Park," Aka "Pak Jin Hek," Case Fl·J 18 - 1 4 79

AO 91 (Rev. 11/11) Criminal Complaint UNITED STATES DISTRICT COURT for the RLED Central District of California CLERK U.S. DIS RICT United States ofAmerica JUN - 8 ?018 [ --- .. ~- ·~".... ~-~,..,. v. CENT\:y'\ l i\:,: ffl1G1 OF__ CAUFORN! BY .·-. ....-~- - ____D=E--..... PARK JIN HYOK, also known as ("aka") "Jin Hyok Park," aka "Pak Jin Hek," Case fl·J 18 - 1 4 79 Defendant. CRIMINAL COMPLAINT I, the complainant in this case, state that the following is true to the best ofmy knowledge and belief. Beginning no later than September 2, 2014 and continuing through at least August 3, 2017, in the county ofLos Angeles in the Central District of California, the defendant violated: Code Section Offense Description 18 U.S.C. § 371 Conspiracy 18 u.s.c. § 1349 Conspiracy to Commit Wire Fraud This criminal complaint is based on these facts: Please see attached affidavit. IBJ Continued on the attached sheet. Isl Complainant's signature Nathan P. Shields, Special Agent, FBI Printed name and title Sworn to before ~e and signed in my presence. Date: ROZELLA A OLIVER Judge's signature City and state: Los Angeles, California Hon. Rozella A. Oliver, U.S. Magistrate Judge Printed name and title -:"'~~ ,4G'L--- A-SA AUSAs: Stephanie S. Christensen, x3756; Anthony J. Lewis, x1786; & Anil J. Antony, x6579 REC: Detention Contents I. INTRODUCTION .....................................................................................1 II. PURPOSE OF AFFIDAVIT ......................................................................1 III. SUMMARY................................................................................................3 IV. TERMINOLOGY.......................................................................................7 V. INFRASTRUCTURE ..............................................................................13 A. North Korean Computer Networks .............................................13 B. The “Brambul” Worm ...................................................................14 C. Use of a Proxy Service ..................................................................16 D. Dynamic DNS (DDNS) .................................................................17 VI. TARGETING TECHNIQUES USED .....................................................19 A. Reconnaissance.............................................................................19 B. Spear-Phishing .............................................................................20 VII. THE ATTACK ON SPE ..........................................................................23 A. Initiation of Overt Contact and Email Communications ...........24 B. Analysis of Malware and Infected Computers and Technical Details of the Intrusion ................................................................28 C. Theft of SPE’s Data and Distribution by Email and a Social Media Account Created by the Subjects ......................................29 D. The SPE Movie “The Interview” ..................................................30 E. Social Media Accounts Were Used to Post Links to Malware on Other Social Media Accounts Related to “The Interview” ..........33 F. “Andoson David,” “Watson Henny” and Related Accounts .........37 1. “Andoson David” ................................................................37 2. “Watson Henny” and “John Mogabe” ................................39 3. “Yardgen” ...........................................................................42 G. Malware Used in Successful Breach of SPE Network ................45 H. Targeting Movie Theater Chain ..................................................50 I. Intrusion at Mammoth Screen ....................................................52 i VIII. INTRUSIONS AT FINANCIAL INSTITUTIONS .................................53 A. Background Regarding Bangladesh Bank Cyber-Heist .............56 B. Malicious Accounts Used .............................................................59 1. [email protected] ..................................................59 2. [email protected] ...........................................................59 3. [email protected] ....................................................61 4. [email protected] ......................................................61 C. Results of Forensic Analysis ........................................................62 D. Comparison of Malware Used and Other Targeted Banks ........66 1. Families of Malware..........................................................67 2. Use of NESTEGG ..............................................................70 3. Secure Delete Function: Connections Between Intrusions at Bank Victims and SPE ..................................................72 4. FakeTLS Data Table .........................................................77 5. DNS Function ....................................................................82 6. Intrusion at the African Bank: Connections to Bangladesh Bank ...............................................................85 7. Watering Hole Campaign Targeting Financial Institutions ........................................................................88 IX. TARGETING OF OTHER VICTIMS .....................................................95 A. Initial Discovery of Defense Contractor Targeting .....................95 B. Connections Between Accounts Used to Target Defense Contractors, and with Accounts Used to Target SPE .................97 1. Connection to [email protected] ...................100 2. Connection to @erica_333u ..............................................101 3. Connection to [email protected] ............................102 C. Targeting of South Korean Entities ..........................................105 X. WANNACRY GLOBAL RANSOMWARE ............................................106 A. WannaCry Ransomware Attacks ...............................................106 ii B. Similarities in the Three Versions of WannaCry ......................111 C. Links Between WannaCry and Other Intrusions Described Above ...........................................................................................118 D. Evidence Shows Subjects Were Following Exploit Development...............................................................................125 XI. THE “KIM HYON WOO” PERSONA ...................................................126 A. tty198410@gmail.com.................................................................127 B. hyon_u@hotmail.com..................................................................128 C. [email protected] ...............................................................129 D. [email protected] ....................................................................131 E. @hyon_u ......................................................................................132 F. Brambul Collector Accounts ......................................................132 XII. PARK JIN HYOK ..................................................................................133 A. PARK’s Work for Chosun Expo, a DPRK Government Front Company .....................................................................................136 1. Chosun Expo ....................................................................136 2. PARK JIN HYOK’s Work in Dalian, China ...................142 B. The Chosun Expo Accounts .......................................................147 1. [email protected] ...................................................149 2. [email protected] ..............................................152 3. [email protected] ..............................................156 4. [email protected] ................................................159 5. [email protected] .................................................164 6. Access to Chosun Expo Accounts by North Korean IP Addresses .........................................................................166 7. Summary of Connections Between “Kim Hyon Woo” Persona and Chosun Expo Accounts Connected to PARK................................................................................169 XIII. CONCLUSION......................................................................................171 iii A F F I D A V I T I, Nathan P. Shields, being duly sworn, declare and state as follows: I. INTRODUCTION 1. I am a Special Agent (“SA”) with the Federal Bureau of Investigation (“FBI”) and have been so employed since 2011. I am currently assigned to the Los Angeles Field Office, where I conduct investigations related to computer intrusions and national security. During my career as an FBI SA, I have participated in numerous computer crime investigations. In addition, I have received both formal and informal training from the FBI and other institutions regarding computer- related investigations and computer technology. Prior to becoming a Special Agent with the FBI, I was employed for eleven years as a Software Engineer where I worked on software projects at NASA’s Johnson Space Center that supported the International Space Station and Space Shuttle mission simulators. I received a bachelor’s degree in Aerospace Engineering with a minor in Computer Science from Embry-Riddle Aeronautical University. As a federal agent, I am authorized to investigate violations of the laws of the United States and have experience doing so. I am a law enforcement officer with authority to apply for and execute warrants issued under the authority of the United States. II. PURPOSE OF AFFIDAVIT 2. This affidavit is made in support of a criminal

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    179 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us