North Korean hacking groups hit with Treasury sanctions

Lazarus Group, a hacking group tied to North Korean and two of its affiliates are the latest APT group to get the 'name and shame' treatment from the U.S. government.


The Department of the Treasury hit three North Korean groups with new sanctions Sept. 13 for conducting cyberattacks against critical infrastructure, including the infamous WannaCry ransomware attacks.

Treasury's Office of Foreign Asset Control announced that Lazarus Group, an advanced persistent threat believed to be working at the behest of the North Korean government and two of its subgroups, dubbed Bluenoroff and Andariel, will have any U.S.-based or adjacent assets frozen and any organizations or financial institutions that do business with them are also at risk for designation.

"We will continue to enforce existing U.S. and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks," said Sigal Mandelker, undersecretary for terrorism and financial intelligence at Treasury in a statement.

Lazarus Group was identified by U.S. officials in late 2017 as the group responsible for unleashing WannaCry, which wrought havoc across hospital and health care organizations in the United Kingdom and other countries, as well as the 2014 Sony hack.

According to research from numerous threat intelligence firms, Bluenoroff is known for targeting financial institutions around the globe, including a 2016 heist that leveraged vulnerabilities in the SWIFT financial system to steal nearly $1 billion in illegal wire transfers from the Bank of Bangladesh. Andariel has focused on businesses, governments and other institutions in South Korea and other places, stealing bank and ATM card information and pilfering military secrets. All three groups are accused on conducting malicious cyber operations designed to steal money in order to fund North Korea's missile and weapons programs.

Financially-motivated cyberattacks are a key source of income for the North Korean government, which is already subject to significant global sanctions that prevent the regime from engaging in most normal forms of commerce with Western and other countries. The United States and its allies, on the other hand, have made a concerted effort in recent years to bring all intelligence, diplomatic and other resources to bear in order to identify and punish state-sponsored hacking groups.

Dmitri Alperovich, chief technology officer for threat intelligence firm Crowdstrike, said the sanctions were "yet another indication" of how much speedier the U.S. and other nations have become at identifying and attributing malicious cyber activity to specific actors and nations.

"A few years ago, this type of action would have been unprecedented. Today it is routine," said Alperovich.

John Hultquist, Director of Intelligence Analysis and FireEye, said the "sheer scale" of financially motivated attacks from these groups indicate that they are a key source of revenue for Pyongyang and that sanctions may not serve as an effective deterrent for a government like North Korea that lacks other options to fill the void.

"Even if they were to take a lighter hand to the U.S., much of their criminal activity takes place beyond the U.S. in countries who may not have the same ability to change North Korea's behavior," said Hultquist. "It's also important to remember that this activity appears to be very lucrative, and the choice for the cash-strapped regime to give it up will be a hard one."

The sanctions come less than a week after U.S. Cyber Command uploaded nearly a dozen malware samples associated with North Korean hacking tools onto the website VirusTotal. Doing so makes it easier for the broader security research community to identify and share indicators of those tools with businesses, governments and other potential victims and mitigate future attacks.

Representative Jim Langevin (D-R.I.), Chair of the House Armed Services Committee, released a statement following the actions congratulating Treasury and CyberCom and urging further action to curb North Korean cyber operations.

"Responsible nations do not engage in this kind of destabilizing behavior, and we must take action to hold irresponsible states accountable," said Langevin. "Malicious cyber actors around the world need to know that they cannot act with impunity and that the United States will use all instruments of national power to counter their activity."