The U.S. Treasury signed sanctions against three hacking groups actively engaged in cyber operations meant to bring financial assets to the government of North Korea.
The groups are Lazarus, Bluenoroff, and Andariel, well-known in the security industry for cyber operations aimed at cyberespionage, data theft, monetary reward, and data destruction.
By signing the sanctions, the U.S. Treasury U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) puts a lock on all properties and financial assets owned by the three groups in the U.S. and prohibits all dealings involving these goods.
The sanctions extend to "any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the entities," could become the target of sanctions.
All three groups operate at the command of the Reconnaissance General Bureau (RGB), which is North Korea’s primary intelligence bureau.
Old group Lazarus
Lazarus Group (a.k.a. Hidden Cobra), which is the larger of the three hacking entities and considered an umbrella for the others, was created in early 2007 and it is coordinated by the 110th Research Center, 3rd Bureau of the RGB; this bureau is charged with technical surveillance and it is the architect of North Korea's cyber operations.
Infamous incidents attributed to Lazarus Group include the attack on Sony Pictures - known as Operation Blockbuster, back in 2014 and the WannaCry ransomware global epidemic in 2017.
The damage caused by these two attacks alone were considerable. Sony's internal data (employee emails, plans for future films, documents) were made public.
WannaCry impacted hundreds of thousands of computers across the world and produced hundreds of millions of U.S. dollars in damages to companies in at least 150 countries.
Money-grabbing Bluenoroff
Treasury officials say that Bluenoroff, a sub-group of Lazarus, has been operating since at least 2014 with the purpose of earning revenue for the North Korean government.
"Bluenoroff conducts malicious cyber activity in the form of cyber-enabled heists against foreign financial institutions on behalf of the North Korean regime to generate revenue, in part, for its growing nuclear weapons and ballistic missile programs."
One of the most notable heists attempted by this group was against the Bangladesh Central Bank, which stood to lose about $1 billion, were it not for two mistakes from the hackers.
One of them was a typo, the other misstep was choosing a recipient that had been flagged for evading U.S. sanctions against Iran. In total, Bluenoroff (APT38) hackers managed to steal $81 million from just four transfers out of a total of 35.
Countries with financial institutions attacked by this group count India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.
Andariel hacks for cash and secrets
The third hacker group associated with the North Korean government is called Andariel. Operating since at least 2015, the outfit is known to focus on foreign businesses, government agencies, entities in the defense industry, financial services infrastructure, and private corporations.
It appears that this unit's purpose oscillates between cyber espionage and financial reward. Andariel is blamed for breaking three years ago into the personal computer of the South Korean Defense Minister as well as into the Defense Ministry's intranet.
At the same time, the group seems to be responsible for hacking into ATMs to steal cash or collect customer information and peddle it to specialized communities. Moreover, Andariel is known for compromising online poker sites to make money.
Lucrative business
North Korean hackers have a wide range of activities they engage in, and it seems that the scope of their operations changes with the Pyongyang government's needs at a certain point in time.
John Hultquist, the Director of Intelligence Analysis for FireEye, told BleepingComputer that North Korea’s cyber-espionage apparatus has grown in the past four years into "a significant state-run criminal venture."
"Though these operations may fund the hackers themselves, their sheer scale suggests that they are a financial lifeline for a regime that has long depended on illicit activities to fund itself." John Hultquist
This is echoed by reports about these three groups hacking systems for huge piles of cash. The United Nations estimated in a confidential document that North Korea made as much as $2 billion from at least 35 cyberattacks directed at banks and cryptocurrency exchanges across in 17 countries.
Another report from the U.N. earlier this year stated that North Korean hackers hitting cryptocurrency exchanges in Asia between January 2017 and September 2018 caused $571 million in losses.
Hultquist says that these sanctions from the U.S. may not be a powerful deterrent from the cybercriminal activities of the Pyongyang regime. He points out that the lucrative aspect of these campaigns is a strong motivation to maintain the same path.
"In the past they have remained obstinate in the face of other sanctions and international condemnation of their cyber capability. Even if they were to take a lighter hand to the US, much of their criminal activity takes place beyond the US in countries who may not have the same ability to change North Korea’s behavior."
Comments
buddy215 - 5 years ago
Russia and China can cut the cables going to North Korea. But they won't. They enjoy NK's constant actions and threats against the USA and its allies. Note that Russia and China are not the targets of the NK. Of course, these NK hackers could be geographically located in other parts of the world besides inside the NK but cutting the cables to Russia and China would create havoc and possibly end NK's criminal acts on the Internet.