US sanctions North Korean hackers blamed for global attacks

Treasury slaps punitive measures on Lazarus Group, Bluenoroff and Andariel, saying they are controlled by Pyongyang.

A North Korean propaganda poster hangs inside of a conference room in the offices of the Jigsaw incubator within Alphabet at their offices in New York
North Korea's government has long cultivated a cyber army to acquire funds illicitly and use digital weaponry against the country's foes [Lucas Jackson/Reuters]

The United States Treasury has announced sanctions on three hacker groups from North Korea that it said were involved in the 2017 WannaCry ransomware attack and other hack jobs on international banks and customer accounts.

It named the groups as Lazarus Group, Bluenoroff and Andariel and said they were controlled by the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence bureau, which is already subject to US and United Nations sanctions.

The action blocks any US-related assets of the groups and prohibits dealings with them. The Treasury statement said any foreign financial institution that knowingly facilitated significant transactions or services for the groups could also be subject to sanctions

“[The] Treasury is taking action against North Korean hacking groups that have been perpetrating cyberattacks to support illicit weapon and missile programmes,” said Sigal Mandelker, Treasury under-secretary for Terrorism and Financial Intelligence.

“We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks,” she added.

The US has been attempting to restart talks with North Korea that are aimed at pressing the country to give up its nuclear weapons. The talks have been stalled over North Korean demands for concessions, including sanctions relief.

Millions and billions stolen

Earlier this month, North Korea denied UN allegations that the country had obtained $2bn through cyberattacks on banks and cryptocurrency exchanges, and accused the US of spreading rumours.

The Treasury statement said Lazarus Group was involved in the WannaCry ransomware attack that the US, Australia, Canada, New Zealand and the United Kingdom publicly attributed to North Korea in December 2017.

It said WannaCry affected at least 150 countries and shut down about 300,000 computers, including many at the UK’s National Health Service (NHS).

The NHS attack led to the cancellation of more than 19,000 appointments and ultimately cost the service over $112m, making it the biggest known ransomware attack in history.

The Treasury said Lazarus Group was also directly responsible for 2014 cyberattacks on Sony Pictures Entertainment.

The statement cited industry and press reports saying that by 2018, Bluenoroff had attempted to steal over $1.1bn from financial institutions and successfully carried out operations against banks in Bangladesh, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, Chile and Vietnam.

It said Bluenoroff also worked with the Lazarus Group to steal approximately $80m from the central bank of Bangladesh’s account at the Federal Reserve of New York.

Andariel, meanwhile, was observed by cybersecurity firms attempting to steal bank card information by hacking into ATMs to withdraw cash or steal customer information to be sold later on the black market, the statement said.

That group was also responsible for developing and creating unique malware to hack into online poker and gambling sites and – according to industry and press reporting – targeted the military in South Korea as part of efforts to gather intelligence, the Treasury added.

Source: Reuters