U.S Imposes Sanctions on North Korean State-Sponsored Cyber Groups

Sanctions on North Korean State-Sponsored hacker groups to improve cybersecurity of financial networks, U.S. to blacklist these groups

The U.S. Treasury imposed sanctions targeting three North Korean state-sponsored malicious cyber groups responsible for North Korea’s malicious cyber activity on critical infrastructure.

The treasury identified these groups as — North Korean hacking groups commonly known within the global cyber security private industry as “Lazarus Group,” “Bluenoroff,” and “Andariel”.

These sanctions have been awaited by the cybersecurity industry since these infamous groups have been known to create ransomware attacks on banks and other financial institutions to steal money from legal businesses.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyberattacks to support illicit weapon and missile programs,” Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence said.

The sanctions would mean that these groups would be blacklisted and their financial assets would be frozen by global banking authorities.

“We will continue to enforce existing U.S. and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.” He added.

According to the U.S. treasury the money stolen from U.S. based financial institutions was being used for North Korea’s missile program. Hence, the sanctions could have not just financial implications but humanitarian grounds as well, some experts said.

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]

The major reason stated by the U.S. Treasury was the malicious cyber activity which was done by Lazarus Group, Bluenoroff and Andariel.

Treasury officials said the three groups operate under the control of the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence bureau.

The Lazarus Group is the largest of the three and targets institutions such as government, military, financial, manufacturing, publishing, media, entertainment, and international shipping companies, as well as critical infrastructure, using tactics such as cyber espionage, data theft, monetary heists, and destructive malware operations.

It was created by the North Korean Government as early as 2007 and is essentially a malicious cyber group, which is subordinate to the 110th Research Center, 3rd Bureau of the RGB.

In addition to the RGB’s role as the main entity responsible for North Korean state-sponsored malicious cyber activities, the RGB is also the principal North Korean intelligence agency and is involved in the trade of North Korean arms, the treasury added.

Lazarus Group was involved in the destructive WannaCry 2.0 ransomware attack which the United States, Australia, Canada, New Zealand and the United Kingdom publicly attributed to North Korea in December 2017.  Denmark and Japan issued supporting statements and several U.S. companies took independent actions to disrupt the North Korean cyber activity.

The “WannaCry” attack affected at least 150 countries around the world and shut down approximately three hundred thousand computers.  Among the publicly identified victims was the United Kingdom’s (UK) National Health Service (NHS).

Approximately one third of the UK’s secondary care hospitals and around eight percent of general medical practices in the UK were crippled by the ransomware attack, leading to the cancellation of more than 19,000 appointments and ultimately costing the NHS over $112 million, making it the biggest known ransomware outbreak in history.  Lazarus Group was also directly responsible for the well-known 2014 cyber-attacks of Sony Pictures Entertainment.

Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid.

The other groups are actually sub-groups of Lazarus Group, the first of which is referred to as Bluenoroff by many private security firms.  Bluenoroff was formed by the North Korean government to earn revenue illicitly in response to increased global sanctions.

Bluenoroff conducts malicious cyber activity in the form of cyber-enabled heists against foreign financial institutions on behalf of the North Korean regime to generate revenue, in part, for its growing nuclear weapons and ballistic missile programs.

According to cyber security firms, typically through phishing and backdoor intrusions, Bluenoroff conducted successful operations targeting more than 16 organizations across 11 countries, including the SWIFT messaging system, financial institutions, and cryptocurrency exchanges.  In one of Bluenoroff’s most notorious cyber activities, the hacking group worked jointly with Lazarus Group to steal approximately $80 million dollars from the Central Bank of Bangladesh’s New York Federal Reserve account.

Bluenoroff and Lazarus Group made over 36 large fund transfer requests using stolen SWIFT credentials in an attempt to steal a total of $851 million before a typographical error alerted personnel to prevent the additional funds from being stolen.

The other group named was Andariel. Like Bluenoroff, it is also a Lazarus Group sub-group. Andariel focuses on conducting malicious cyber operations on foreign businesses, government agencies, financial services infrastructure, private corporations, and businesses, as well as the defense industry.  Cybersecurity firms first noticed Andariel around 2015, and reported that it consistently executes cybercrime to generate revenue and targets South Korea’s government and infrastructure in order to collect information and to create disorder.

Vidya Lakshmi

IndustrialCyber Editor & Features Vidya is a freelance journalist with over 10 years of experience in business journalism. She started her career reporting on U.S. equities markets and later moved to niche financial news. She developed an interest in ICS cybersecurity after researching some incidents and reading about it online.