On Friday, the U.S. Treasury Department announced new sanctions against three groups it said were North Korean state-sponsored cyber groups, responsible for attacks on critical infrastructure and cyber crime.
The three groups identified were known as Lazarus Group, and two sub-groups of Lazarus, Bluenoroff, and Andariel. All three are said to be linked to North Korea’s Reconnaissance General Bureau, or RGB, the country’s overseas intelligence agency. The RGB was itself designated in 2015.
The three groups have been designated under the U.S. Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) and Blocked Persons List.
“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” Sigal Mandelker, the under secretary for Terrorism and Financial Intelligence at the Treasury Department said in a statement on Friday.
“We will continue to enforce existing U.S. and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”
The groups sanctioned were involved in a range of illicit activities, the U.S. Treasury release alleges. The Lazarus Group was behind the WannaCry 2.0 ransomware attack in 2017. The United States first publicly attributed the attack to North Korea in December 2017.
Bluenoroff, a sub-group within Lazarus Group, was involved in “heists against foreign financial institutions on behalf of the North Korean regime to generate revenue, in part, for its growing nuclear weapons and ballistic missile programs,” the U.S. Treasury noted.
This included attacks against financial institutions in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam. The group was behind the $80 million heist at the Central Bank of Bangladesh’s New York Federal Reserve account, the release noted.
Andariel, another Lazarus sub-group, has focused its efforts primarily on South Korea. “Andariel was observed by cyber security firms attempting to steal bank card information by hacking into ATMs to withdraw cash or steal customer information to later sell on the black market,” the release noted.
The U.S. Treasury’s release added that “the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Cyber Command (USCYBERCOM) have in recent months worked in tandem to disclose malware samples to the private cybersecurity industry.”
The new U.S. Treasury sanctions come after the UN Panel of Experts’ report on North Korea underscored increased cybercrime activities, including Pyongyang’s efforts to compromise cryptocurrency exchanges.
The Panel estimated that North Korea could have generated as much as $2 billion from its illicit cyber activities.