US Treasury Places Sanctions on North Korean State-Sponsored Hacking Groups

Three North Korean hacking groups, one of which was behind the WannaCry ransomware attacks, have had sanctions placed on them by the US Treasury.

The groups - Lazarus Group, Bluenoroff, and Andariel - were named in a Treasury statement as "agencies, instrumentalities, or controlled entities of the Government of North Korea ... based on their relationship to the Reconnaissance General Bureau (RGB) ... North Korea’s primary intelligence bureau."

Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence, said action was being taken because the "hacking groups ... have been perpetrating cyber attacks to support illicit weapon and missile programs." (a confidential UN report in August stated that North Korea had used cyberattacks to steal US$2 billion and fund its WMD program)

Lazarus Group was behind the 2014 Sony hack and the 2017 WannaCry ransomware attack which affected at least 150 countries and shut down around 300,000 computers. The UK's National Health Service (NHS) was one of the worst hit and nearly 10% of general medical practices in the UK were crippled by the attack. The overall cost to the NHS was more than £92 million (US$110M), making it the biggest known ransomware outbreak in history.

Bluenoroff and Andariel are sub-groups of Lazarus Group.

Bluenoroff was formed by the North Korean government in response to global sanctions on the country. Its role was to earn revenue illicitly and by 2018 had attempted to steal over $1.1 billion dollars from financial institutions, including (according to press reports) successful 'cyber raids' on banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.

Andariel's function is to "conduct malicious cyber operations on foreign businesses, government agencies, financial services infrastructure, private corporations, and businesses, as well as the defense industry ... (It) consistently executes cybercrime to generate revenue and targets South Korea’s government and infrastructure in order to collect information and to create disorder."

The sanctions handed down state that, among other things, all property and interests in property of the three groups that are in the United States are blocked and must be reported to OFAC (Treasury’s Office of Foreign Assets Control), and any foreign financial institution that knowingly deals with any of the three groups could be subject to US Correspondent Account or Payable-Through Account (CAPTA) Sanctions.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.