In the wake of the Department of Justice charging a North Korean computer programmer with crimes related to various cybersecurity cases, one thing seems to be agreed upon: The chances of Park Jin Hyok seeing an American courtroom are slim.
However, there seems to be a rift among legal and cybersecurity experts over the way the U.S. government handled the recent complaint against the hacking unit known as Lazarus Group. Those who spoke to CyberScoop are at odds over whether the complaint shed too much light into the government’s attribution process, giving North Korean hackers the ability to fix any glaring holes and improve their offensive capabilities.
“I think it’s a total waste of money,” said Blake Darché, a former NSA analyst. “It does nothing to deter the cyberthreat and makes it look like the United States can’t even bring the people to justice that we charged.”
In the complaint, the U.S. charged Park with one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer-related fraud. The bulk of the complaint is filled with digital forensic evidence that prosecutors say points to Park’s involvement in the Sony Pictures hack, the WannaCry ransomware and the attack on the SWIFT international financial messaging system. In great detail, it shows how North Korea used a host of different servers, email addresses and social media accounts to carry out its crimes.
Former federal cybercrime prosecutor Ed McAndrew told CyberScoop that the charging document is one of “the most detailed cybercrime affidavits” he’s ever seen in his decade of work. Yet given the reality that North Korea is highly unlikely to extradite Park, McAndrew wonders if the benefit to publicly unveiling those forensics outweighs the cost.
“Why have we laid out in such great detail all the ways we go about building these cases when we’re not going to get anything out of it?,” McAndrew said. “That’s great to show them that we can we can actually figure out who did it, but you know any cybercriminal worth their salt is going study these types of documents and use them to improve their operational security.”
The Department of Justice has been aggressive over the past few years when it comes to using legal means to thwart nation-states’ hacking activity. Since 2014, the DOJ has indicted or charged people tied to either Russia, China, or Iran for computer-related crimes. Additionally, U.S. law enforcement has been forcefully extraditing individuals tied to bigger cybercrime groups.
Luke Dembosky, a former federal prosecutor under the Department of Justice’s National Security division, told CyberScoop the information contained in the complaint detailed exactly what the government likes to do with these types of cases — lay the groundwork for further actions.
“By including this much detail, the Department is trying to fend off any doubts about the strength of the case, particularly where the primary goals are to call out publicly who was behind the attack, build support for multi-lateral sanctions and other alternative relief, and deter others from these kinds of actions,” Dembosky said. “In such cases — particularly where the chances of arrest are remote — the benefits of revealing specific evidence pointing to the defendant sometimes outweigh the risk of giving away evidence.”
That lack of a forthcoming arrest adds to the confusion for McAndrew, based on the way the way the Justice Department charged Park. While similar cases dealing with nation-states have come in the form of an indictment, Park was charged in a complaint. Normally, a complaint is brought before a grand jury, which then determines whether or not to issue an indictment based on the facts.
“[The Justice Department] didn’t do that here,” McAndrew explained. “The reason you don’t normally do it is because somebody’s either under arrest or there is about to be an arrest, and you don’t have time to go to the grand jury and present evidence.”
Considering that Park would only be arrested if either the North Korean regime extradited him or he was detained by another country, McAndrew said the process has been “odd” when compared to similar cases dealing with U.S. cyber-adversaries.
“What’s the rush here?,” McAndrew said. “We’re four years down the road from the Sony attack. This guy is never getting arrested. [The charges] happened on a random Thursday in September. Why now? I’ve never seen it done like this before.”
John Carlin, former assistant attorney general for the DOJ’s National Security Division, told CyberScoop that while the complaint does reveal a lot of forensic evidence, its thoroughness ultimately will force North Korea to expend more time, effort and resources to launch similar attacks.
“If they have to use higher-end capabilities to target an adversary, then they’re going to be more discriminating over who they target,” he said. “That allows [the U.S.] to focus more on their high value targets in terms of defending them.”
Carlin said that in past cases, such as those against Russian hackers or the Chinese actors working for the People’s Liberation Army, behaviors did change despite the U.S. government’s inability to arrest everyone involved.
“It knocks down the scale of activity, which also makes it a more manageable problem to solve,” he told CyberScoop.
Darché, who now runs private cybersecurity company Area 1, thinks there is a different way to solve the problem.
“I think the most effective deterrent strategy is a offensive counter-deterrent,” he said. “The North Koreans hacked Sony, so we hack something and knock over something else in their country. This is the tit-for-tat cyber battle that’s necessary to win this war.”