US Sanctions 3 North Korean Hacking GroupsTrump Administration Cites WannaCry, Sony Pictures, Bangladesh Bank Attacks
The U.S. Treasury Department on Friday sanctioned three alleged North Korean state-sponsored hacking groups that have been blamed for the WannaCry ransomware outbreak, online bank heists and the destructive malware attack against Sony Pictures Entertainment.
See Also: Sophos on the State of Ransomware
Officials say the sanctions have been implemented against the Lazarus group and two subgroups: Bluenoroff and Andariel. The sanctions and naming of specific hacking groups signals an ongoing effort by the U.S. government to call out alleged North Korean cyber activity (see: Feds Warn of 'Electricfish' Malware Linked to North Korea).
"Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs," Sigal Mandelker, the department's under secretary for terrorism and financial intelligence, says in a statement.
Rep. Jim Langevin, D-RI, who co-chairs the Congressional Cybersecurity Caucus and is a senior member of the House Armed Services and Homeland Security Committees, lauded the move by the Treasury Department to further hold North Korea accountable. “The WannaCry ransomware and the intrusions into nodes in the SWIFT interbank transfer system were both major incidents that targeted civilian critical infrastructure. Attribution of these incidents is quite clear and points directly to the Kim regime," he says.
"Responsible nations do not engage in this kind of destabilizing behavior, and we must take action to hold irresponsible states accountable," he says. "Malicious cyber actors around the world need to know that they cannot act with impunity and that the United States will use all instruments of national power to counter their activity."
Sanctions Against Hacker Groups
As a result of the sanctions, the alleged hacking groups have been blocked from accessing any property within the United States, and U.S. citizens are banned from doing any type of business with the groups.
The U.S. has had sanctions against North Korea for decades; they've sometimes have been used a bargaining chips in negotiations over the country's nuclear weapons program. But North Korea is skilled at skirting sanctions by using shell companies, ambiguous corporate entities and complex administrative maneuvers to continue to trade.
The sanctions have made it more difficult for North Korea to raise money, but the internet has given it an asymmetric and profitable capability. For example, a confidential United Nations report leaked last month warned that North Korea was using its cyber capabilities to drive as much as $2 billion into its missile and nuclear programs (see: North Korean Hacking Funds WMD Programs, UN Report Warns).
Lazarus Group's Financial Motivations
North Korea has developed online attack capabilities that security experts say make it one of the top four countries - together with Russia, China and Iran - that pose the greatest cybersecurity risk to the United States and its western allies. North Korea has been blamed for attacks on cryptocurrency exchanges as well abusing the SWIFT wire transfer systems used by banks worldwide.
In February 2016, Bangladesh Bank's systems were infected with malware that allowed attackers to issue fraudulent messages within the bank's SWIFT inter-bank messaging system. The fraudulent messages requested the transfer of $951 million from its account at the New York Federal Reserve, marking one of the largest-ever attempted heists (see: Bangladesh Bank Sues to Recover Funds After Cyber Heist).
A spelling error raised suspicions and prevented some money from being transferred, but $81 million in transfers did end up being completed. The money was transferred to Rizal Commercial Banking Corporation in the Philippines before it was quickly moved to casinos and laundered.
Although Bangladesh Bank was criticized for apparently having poor security controls around its SWIFT system, the attack's sophistication raised alarms due to the attackers' detailed knowledge of how the relatively arcane SWIFT software worked.
The Bangladesh Bank heist has been widely blamed on the Lazarus group, which is also known as Hidden Cobra and Dark Seoul. The U.S government alleges the group is part of North Korea's Reconnaissance General Bureau, which has been under sanctions since 2010.
One of Lazarus's subgroups, Bluenoroff, has also been involved in SWIFT-related attacks against banks in India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam. Last year, the group tried to steal $1.1 billion, the U.S. Treasury says.
Another subgroup, Andariel, focused on South Korea's government and infrastructure as well as cybercrime involving ATMs and gambling websites, U.S. officials say.
"Specifically, Andariel was observed by cyber security firms attempting to steal bank card information by hacking into ATMs to withdraw cash or steal customer information to later sell on the black market," according to the U.S. Treasury. "Andariel is also responsible for developing and creating unique malware to hack into online poker and gambling sites to steal cash."
Ransomware and Destruction
Lazarus was also blamed for two other unprecedented attacks. In late 2015, Sony Pictures Entertainment's systems were infected with so-called wiper malware that destroyed its systems. That came after attackers stole internal emails and documents and later released the data, which proved embarrassing.
Shortly after the attack, the U.S. government blamed North Korea, with then-FBI Director James Comey saying evidence included a North Korean IP address having been uncovered in Sony's logs.
But the WannaCry ransomware outbreak in May 2017 caused even greater global alarm. The ransomware was delivered using an exploit called EternalBlue that had been leaked from the U.S. National Security Agency by a group calling itself the Shadow Brokers.
Although Microsoft released patches - for supported operating systems - for the SMB_v1 vulnerability about two months before a version of WannaCry began targeting systems with the flaw, the ransomware nevertheless caused global damage on a scale never seen before. WannaCry's developers also built it to be a worm, meaning that once the malware infected a system, it began seeking further, vulnerable machines to infect.
WannaCry infected 300,000 endpoints in 150 countries, hampering the U.K.'s National Health Service, global telecommunications firms, shipping companies, universities and many more organizations.
More than two years after it first appeared, the malware continues to spread (see: Attacks Targeting IoT Devices and Windows SMB Surge).
Executive Editor Mathew Schwartz contributed to this story.