US Treasury targets North Korean hacking groups

A decade ago, Naked Security ran a story on reports that North Korea (DPRK) had set up a cyberwarfare unit whose objective was to hack the networks of its enemies.

Then viewed as an esoteric side issue, these early stories now look like a quaint underestimation of a country today regularly accused of hacking almost anything accessible via the internet.

Look no further than an announcement last week by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) for evidence of how dramatically things have changed.

On the basis of Executive Order 13722, which dates from 2015, OFAC has decided to formally sanction three hacking entities – the Lazarus Group and its offshoots Bluenoroff and Andariel – which are allegedly proxies acting on behalf of the DPRK’s Reconnaissance General Bureau (RGB).

The accusations underpinning the action are already well known:

  • The global WannaCry ransomware attack from 2017 (Lazarus).
  • Successful cyberheists against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam, the most infamous of which resulted in an $80 million loss (Bluenoroff).
  • Numerous attacks on foreign governments and businesses as well as raids on the ATM networks of banks (Andariel).

The motivation? According to OFAC, to steal and extort money to help fund the DPRK’s military and nuclear ambitions and to bypass economic sanctions.

The evidence? Lots of malware samples and botnets attributed to the DPRK, research submitted cybersecurity companies, and presumably less public information gathered by US and other intelligence services.

Public enemy

Given the volume of accusations levelled against North Korea, an obvious question is what effect can imposing formal sanctions hope to have?

Reading between the lines of the announcement, it’s likely that the hope is to deter any intermediaries tempted to work with these groups:

Persons that engage in certain transactions with the entities designated today may themselves be exposed to designation [sanctions].

Followed by a more menacing threat:

Furthermore, any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the entities designated today could be subject to U.S. correspondent account or payable-through sanctions.

That is, having their money or assets confiscated – or at least making it difficult to move them around.

The US has already named one alleged DPRK programmer it says was connected to the WannaCry attacks, Park Jin Hyok.

That follows a similar policy of naming and shaming hackers allegedly working on behalf of the Chinese and Russian Governments.

The logic is simple: if attacks prey on human failings exploited by phishing attacks, the same principle applies to the publicity-shy perpetrators too.

The difference in the case of the DPRK hacking groups is that the US hasn’t named any new individuals associated with them, although that may follow in time.

The warning seems clear: hackers might not care about what the US says but it should care about what the justice system might do should unnamed targets visit countries where they’re at risk of arrest.