skip to Main Content

Cyber Warfare, USA hit North Korea state sponsored hackers

United State’s OFAC sanctions three North Korea state sponsored hackers Lazarus, Bluenorff and Andariel. They aree linked to Reconnaissance General Bureau (RGB)

United States sanctioned three North Korean hacking groups (APTs), linked with Pyonyang’s government. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions targeting three North Korean state-sponsored malicious cyber groups responsible for North Korea’s malicious cyber activity on critical infrastructure, it’s reported in an OFAC press release. The three are “Lazarus Group,” “Bluenoroff,” and “Andariel”. According to U.S. they are agencies, instrumentalities, or controlled entities of the Government of the asian country. This based on their relationship to the Reconnaissance General Bureau (RGB). “Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence.  “We will continue to enforce existing U.S. and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

The Lazarus organization and activities 

Lazarus Group targets institutions such as government, military, financial, manufacturing, publishing, media, entertainment, and international shipping companies, as well as critical infrastructure, using tactics such as cyber espionage, data theft, monetary heists, and destructive malware operations. Created by the North Korean Government as early as 2007, this malicious cyber group is subordinate to the 110th Research Center, 3rd Bureau of the RGB. The 3rd Bureau is also known as the 3rd Technical Surveillance Bureau and is responsible for North Korea’s cyber operations. In addition to the RGB’s role as the main entity responsible for North Korea’s malicious cyber activities, the RGB is also the principal North Korean intelligence agency and is involved in the trade of Pyongyang arms.

The cyber security experts: Pyongyang’s state sponsored hackers are involved in the WannaCry 2.0 ransomware cyber attack

According to the OFAC, Lazarus was involved in the WannaCry 2.0 ransomware cyber attack which the United States, Australia, Canada, New Zealand and the United Kingdom attributed to North Korea in December 2017. Denmark and Japan issued supporting statements and several U.S. companies took independent actions to disrupt the Pyongyang cyber activity.  WannaCry affected at least 150 countries around the world and shut down approximately three hundred thousand computers.  Among the victims was the United Kingdom’s (UK) National Health Service (NHS).  Approximately one third of the UK’s secondary care hospitals and eight percent of general medical practices in the UK were crippled by the ransomware attack, leading to the cancellation of more than 19,000 appointments and ultimately costing the NHS over $112 million, making it the biggest known ransomware outbreak in history.  Lazarus was also directly responsible for the 2014 cyber-attacks of Sony Pictures Entertainment.

Bluenoroff is the cybercrime wing of the Lazarus group

On the two Lazarus sub-groups, Bluenoroff and Andariel, the first one was formed by the North Korean government to earn revenue illicitly in response to increased global sanctions.  Bluenoroff conducts malicious cyber activity in the form of cyber-enabled heists against foreign financial institutions on behalf of the North Korean regime to generate revenue, in part, for its growing nuclear weapons and ballistic missile programs. Cyber security firms first noticed this group as early as 2014, when North Korea’s cyber efforts began to focus on financial gain in addition to obtaining military information, destabilizing networks, or intimidating adversaries.  According to industry and press reporting, by 2018, cybercrime hackers attempted to steal over $1.1 billion dollars from financial institutions and, according to press reports, had successfully carried out such operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam.

Andariel is specialized in spying on foreign entities and cybercrime operations

Andariel is focused on conducting malicious cyber operations on foreign businesses, government agencies, financial services infrastructure, private corporations, and businesses, as well as the defense industry.  Cyber security firms first noticed the North Korean’s group around 2015, and reported that it consistently executes cybercrime to generate revenue and targets South Korea’s government and infrastructure in order to collect information and to create disorder. Specifically, Andariel was observed by cyber security firms attempting to steal bank card information by hacking into ATMs to withdraw cash or steal customer information to later sell on the black market.  Andariel is also responsible for developing and creating unique malware to hack into online poker and gambling sites to steal cash. The state-sponsored hackers continue to conduct malicious cyber activity against South Korea government personnel and the South Korean military in an effort to gather intelligence.  

North Korea’s cyber operations also target Virtual Asset Providers and cryptocurrency exchanges to possibly assist in obfuscating revenue streams and cyber-enabled thefts that also potentially fund North Korea’s WMD and ballistic missile programs

In addition to malicious cyber activities on conventional financial institutions, foreign governments, major companies, and infrastructure, North Korea’s cyber operations also target Virtual Asset Providers and cryptocurrency exchanges to possibly assist in obfuscating revenue streams and cyber-enabled thefts that also potentially fund North Korea’s WMD and ballistic missile programs.  According to industry and press reporting, these three state-sponsored hacking groups likely stole around $571 million in cryptocurrency alone, from five exchanges in Asia between January 2017 and September 2018.

Back To Top