Add the U.S. Treasury to the list of government agencies going after North Korean hackers.
The Treasury’s Office of Foreign Assets Control announced Friday it is sanctioning three North Korean hacking groups it says are backed by Kim Jong-un’s regime, including the well-known Lazarus Group. The office also identifies two sub-groups of Lazarus Group, Bluenoroff and Andariel.
Bluenoroff has targeted foreign financial institutions in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam, as well as the Society for Worldwide Interbank Financial Telecommunication (SWIFT) monetary transfer system to conduct cyber-enabled financial heists in response to prior sanctions, according to OFAC.
Andariel has been more focused on stealing cash and customer information from ATMs as well as targets in government agencies and in the defense industry, including those in South Korea to gather intelligence, according to OFAC.
The U.S. government has previously linked Lazarus Group with the North Korean government.
OFAC has designated all three as “agencies, instrumentalities, or controlled entities” of North Korea’s primary intelligence agency, the Reconnaissance General Bureau (RGB).
“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury’s under secretary for terrorism and financial intelligence. “We will continue to enforce existing U.S. and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”
This comes weeks after the UN revealed North Korea has been stealing $2 billion through cyberattacks to finance its weapons programs, and just as the regime says it’s willing to come back to the negotiating table with the Trump administration on denuclearization.
There has been a broader government effort to ratchet up the pressure on North Korea as of late. Cyber Command has also been sending warning signs to North Korea in recent weeks, including uploads of malware samples to VirusTotal last month that security researchers linked with Lazarus Group.
Last Sunday, Cyber Command uploaded its largest-ever sample set to VirusTotal, which security researchers also linked with North Korea. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has also been coordinating with Cyber Command to warn private sector about the malware, as CyberScoop first reported.
These CISA and Cyber Command actions are taking place “as part of an ongoing effort to protect the U.S. financial system and other critical infrastructure as well as to have the greatest impact on improving global security,” according to the Treasury department release on the sanctions designation.
“This, along with today’s OFAC action, is an example of a government-wide approach to defending and protecting against an increasing North Korean cyber threat and is one more step in the persistent engagement vision set forth by USCYBERCOM,” the Treasury notice reads.
The U.S. government has also said North Korean hackers, specifically Lazarus Group, are responsible for the WannaCry ransomware attack that impacted 150 countries and thousands of computers. Department of Justice charged a North Korean computer programmer in connection with those attacks last year.
North Korean hackers don’t appear to be stopping any time soon. As denuclearization talks have stalled, North Korean hackers have been targeting U.S. entities with malicious decoy documents, Prevailion researchers tell CyberScoop. They have also been employing new methods — using more obscure file-types that many antivirus products don’t detect — intended to better cover their tracks and evade detection. North Korean hackers have also appeared to be targeting organizations focused on North Korea’s missile program via malicious websites that appear to be login pages for government agencies and think tanks.