The Treasury Department announced sanctions Sept. 13 against the North Korean-sponsored hacking group involved in the 2017 WannaCry ransomware attacks that shutdown over 300,000 computers across 150 countries.
The announcement from the Treasury’s Office of Foreign Assets Control specifically targets the hacking group Lazarus Group and two subsidiaries, which the U.S. government says are backed by North Korea’s primary intelligence agency and help fund the country’s illicit weapons program.
“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” said Sigal Mandelker, the department’s under secretary for terrorism and financial intelligence. “We will continue to enforce existing U.S. and U.N. sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”
The sanctions block citizens and residents of the United States from doing business with any of the named entities, as well as blocks the groups from accessing any property in the United States. In addition, foreign financial institutions cannot facilitate transactions with the group.
Lazarus Group has targeted government institutions and private businesses across the globe and is known for its involvement in the WannaCry ransomware attacks. It is also responsible for the 2014 cyberattacks on Sony, Treasury said. That cyberattack delayed the release of the movie, “The Interview,” which poked fun of Kim Jong-un.
The sanctions extended to subsidiaries of Lazarus Group: Bluenoroff and Andariel.
According to the Treasury Department, Bluenoroff is known to attack financial institutions to steal money for the country’s nuclear weapons and ballistic missile program. It has stolen over $1.1 billion from financial institutions across the globe, typically using phishing attacks and backdoor intrusion. It is also known to conduct raids against cryptocurrency exchanges. In what the Treasury described as one of the group’s “most notorious” attacks, the group stole $80 million from the Central Bank of Bangladesh’s New York Federal Reserve account.
“This is yet another indication of how forward-leaning U.S. government’s position has become in a relatively short period of time on doing attribution of malevolent cyber actors," said Dmitri Alperovitch, CTO and co-founder of CrowdStrike, a threat intelligence company. “A few years ago, this type of action would have been unprecedented. Today it is routine.”
Andariel, another subsidiary of Lazarus Group, has continually targeted cyber activity against the South Korean government and military to collect intelligence, according to the department. The group once entered the South Korean Defense Ministry’s intranet. Aside from activities targeting government, Andariel conducts cyberattacks against banks and private industry. The group had been caught hacking into ATMs to sell bank card and account information on the black market, Treasury said.
Between January 2017 and September 2018, the three groups “likely” stole $571 million on cryptocurrency from five Asian exchanges, according to the department.
“Attribution of these incidents is quite clear and points directly to the Kim regime,” said Rep. Jim Langevin, D-R.I. and chairman of the House Armed Services subcommittee on Intelligence and Emerging Threats and Capabilities, in a statement. “Responsible nations do not engage in this kind of destabilizing behavior, and we must take action to hold irresponsible states accountable. Malicious cyber actors around the world need to know that they cannot act with impunity and that the United States will use all instruments of national power to counter their activity.”
Earlier in September, U.S. Cyber Command shared 11 samples of Lazarus Group malware on its VirusTotal site.