The Trump administration is sanctioning three North Korean hacking groups widely accused of carrying out attacks that targeted critical infrastructure and stole millions of dollars from banks in cryptocurrency exchanges, in part so the country could finance its weapons and missiles programs.
All three of the groups are controlled by North Koreas primary intelligence agency, the Reconnaissance General Bureau, or RGB, officials with the US Department of Treasury said in a statement published on Friday. Collectively, the groups are behind a host of cyber attacks designed to spy on adversaries and generate revenue for nuclear weapons and ballistic missile programs.
“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” Sigal Mandelker, Treasury under-secretary for terrorism and financial intelligence, said in Fridays statement. “We will continue to enforce existing US and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”
The best-known of the three sanctioned groups is Lazarus, the name given to a team created as early as 2007 that targets militaries, governments, and companies in the financial, manufacturing, publishing, media, entertainment and shipping industries. The FBI tied Lazarus to the 2014 hack of Sony Pictures that destroyed data on thousands of company computers and published embarrassing emails from company executives to avenge a film that depicted the assassination of North Koreas leader.
But the best-known work widely attributed to Lazarus was the WannaCry ransom worm outbreak in 2017. The malware used a Windows exploit developed by and later stolen from the National Security Agency that allowed the worm to spread rapidly from computer to computer with no user interaction.
Within hours, WannaCry had spread to 150 countries and shut down an estimated 300,000 computers. Hospitals in the UK were hit particularly hard, leading to the cancellation of more than 19,000 appointments and costing the country's National Health Service more than $112 million.
The new sanctions also apply to two Lazarus subgroups. The first is known as Bluenoroff, which was formed as a means to earn revenue in the wake of increased global sanctions against the North Korean government. This is the group that was behind a 2016 hack on a Bangladesh central bank that almost got away with stealing $851 million. A typographical error prevented the illicit transaction from going through, but the attackers still made off with $81 million. Bluenoroff has also carried out successful hacks against banks in India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.
Security firms including Symantec and FireEye have chronicled the work of this Lazarus subgroup as it systematically exploited weaknesses in the SWIFT payment network used by banks around the world. The name Bluenoroff was coined in 2017 by researchers from Kaspersky Lab, who were the first to attribute the group as a standalone subunit of Lazarus. The groups name was based on a tool it used called “nroff_b.exe.”