The U.S. Commerce Department recently announced a new rule barring the export and resale of cyber “intrusion software” and equipment to China and Russia without a proper license from the U.S. Bureau of Industry and Security (BIS). It will apply to any intrusion software, including defensive products, being sold to any Chinese or Russian person regardless of whether they are affiliated with the government or not. Set to come into effect in 90 days, the rule will likely impact the operations of not only Chinese and Russian cybercriminals, but also the North Korean Lazarus Group, which conducts offensive cyber operations against foreign states, often with the assistance of Chinese or Russian groups.
While intrusion software is critical for penetration testing, which allows cybersecurity analysts to discover and patch existing system vulnerabilities, malicious actors have leveraged the sale and distribution of such technology to proliferate global cybercrimes. North Korea, in particular, has successfully incorporated cyber-enabled financial crime within its proliferation finance modus operandi for years as it provides an inexpensive and low-risk way to evade U.S. and U.N. economic sanctions. As sanctions tighten in other areas, such as the commodities trade, North Korea continues to compensate for its monetary losses with funds obtained through illicit cyber activity. These money-generating attacks range from basic data breaching tactics such as email phishing to more advanced forms of cyber-enabled financial crime including online bank heists, hacking of cryptocurrency transactions, and distributing ransomware.
Although Washington and Pyongyang do not engage in open trade due to diplomatic and security concerns, U.S. and European companies that provide intrusion software and equipment to North Korean allies like China and Russia are at risk for inadvertently providing North Korea with the same technology. The United Nations has documented vast illicit networks in China, Russia, and Iran that help North Korea evade U.S. and U.N. sanctions, including violating supply chain regulations, providing military and missile technology, and illegally hosting North Korean cybercriminals and information technology workers. Since China and Russia continue to view North Korea as a strategic partner against U.S. influence in the region, this new rule may help stymie coordination between state-sponsored and independent cybercriminals aiding North Korean hackers.
Intelligence reports citing possible connections between the Lazarus Group and Russian-speaking cybercrime groups, as well as Chinese hotels acting as fronts for North Korean hackers, highlight the potential security benefits of requiring BIS licenses to sell and distribute hacking technology to China and Russia. Although U.S. and Russian government officials committed to seek a common set of “rules of the road” to prevent malicious cyberattacks during a UN General Assembly meeting last week, it is unlikely that this agreement will manifest into real policy change toward North Korean cybercriminals.
This new rule from the Commerce Department is likely another component of the Biden administration’s counter-ransomware strategy aimed at improving national cybersecurity and international coordination against cybercrime. This regulation follows two major cybercrime-related developments in the United States: the Treasury Department’s first cryptocurrency-related sanction on a Russian exchange for facilitating transactions for ransomware payments and U.S. citizen Virgil Griffith pleading guilty to providing technical advice to North Korea on using cryptocurrency and blockchain technology to evade sanctions.
The Biden administration is staying true to its promise of strengthening cyber resilience by implementing domestic and global legal standards on not only cyber activity, but also cyber-enabled technology and products. As the funds North Korean cybercriminals steal are believed to support the country’s illicit nuclear and ballistic weapons development program, addressing the North Korean cyberthreat should remain a top priority of U.S. and U.N. policymakers.