North Korea
September 13, 2019

U.S. Sanctions North Korean Hacker Groups Behind WannaCry, Sony Pictures, Bangladesh Bank Attacks

By Samuel Rubenfeld, Helen Koo and Priscilla Kim

This report has been updated with additional information from the U.S. government and research by Kharon.

The U.S. Treasury Department on Friday sanctioned three North Korean state-sponsored cyber groups, including one that was involved in the WannaCry 2.0 ransomware attack and attributed with conducting the 2014 attack on Sony Pictures Entertainment.

The sanctions come as part of a broader U.S. government effort to combat North Korean cyber threats. In recent months, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Cyber Command (USCYBERCOM) have disclosed samples of malware to the cybersecurity industry, several of which were later attributed to North Korean cyber actors, the Treasury said in a statement.

The three groups, which are known as Lazarus Group, Bluenoroff and Andariel, were designated as entities of the North Korean government because they are controlled by the Reconnaissance General Bureau (RGB), according to the Treasury. The RGB has been sanctioned by the U.S. and the United Nations as North Korea’s intelligence bureau. 

Lazarus Group was created by the North Korean government as early as 2007 and is a subordinate of the 110th Research Center, 3rd Bureau of the RGB, according to the Treasury. The 110th Research Center operates between 15 and 20 hacking units, including the Lazarus Group and APT 38, according to Korean media reporting. APT 38 was identified by the Treasury as an alias for Bluenoroff.

Lazarus Group was involved in the WannaCry 2.0 ransomware attack, which affected at least 150 countries around the world and shut down about 300,000 computers, the Treasury said. It also was directly responsible for the 2014 attack on Sony Pictures Entertainment, according to the Treasury;  the company had produced a satire of North Korea called “The Interview.”

Using cyber espionage, data theft, monetary heists and malware operations, the Lazarus Group targets institutions such as governments, military, financial, manufacturing, publishing, media, entertainment and shipping companies, as well as critical infrastructure, the Treasury said. CISA has identified more than a dozen pieces of malware used by Hidden Cobra, which Treasury identified as an alias of Lazarus Group.

The U.S., Canada, Australia, New Zealand and the U.K., collectively known as the “Five Eyes” countries, attributed the WannaCry 2.0 attack in December 2017 to North Korea. Denmark and Japan supported the assertion and several U.S. companies took independent actions to disrupt the cyber activity, according to the Treasury. 

Among the publicly identified victims of the WannaCry 2.0 attack was the U.K. National Health Service; nearly a tenth of U.K. general medical practices were affected, the Treasury said. The attack led to the cancellation of more than 19,000 appointments and cost the National Health Service more than $112 million, making it the largest known ransomware outbreak in history, according to the Treasury.

Bluenoroff and Andariel are sub-groups of Lazarus Group, the Treasury said. 

Bluenoroff was formed by the North Korean government to earn illicit revenue in response to tightened global sanctions, according to the Treasury. 

Cybersecurity firms first noticed Bluenoroff as early as 2014, when North Korean cyber efforts began to focus on financial gain in addition to obtaining military information, destabilizing networks or intimidating adversaries, the Treasury said. 

Typically through phishing and backdoor intrusions, Bluenoroff conducted successful operations targeting more than 16 organizations across 11 countries, including the SWIFT messaging system, financial institutions and cryptocurrency exchanges, according to the Treasury, which cited cybersecurity firms. In a 2016 attack, Bluenoroff worked with Lazarus Group to steal about $80 million from the Bangladesh central bank’s account at the Federal Reserve Bank of New York, the Treasury said. 

Employing malware similar to that seen in the Sony Pictures hack, they made more than 36 large fund transfer requests using stolen credentials in an attempt to steal $851 million before a hacker’s typographical error alerted personnel, who prevented additional funds from being stolen. Bangladesh Bank filed a lawsuit in late January 2019 against the Filipino lender Rizal Commercial Banking Corporation, its leaders and others for facilitating the heist effort, including by handling the stolen funds. The lawsuit is ongoing, according to the court docket.

Bluenoroff had attempted by 2018 to steal more than $1.1 billion from financial institutions, the Treasury said, citing industry and press reporting. It had, by that time, successfully carried out operations against banks in Bangladesh, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, Chile and Vietnam, according to the Treasury, which cited press reports.

Andariel focuses on conducting malicious cyber operations on foreign businesses, government agencies, financial services infrastructure, private companies and the defense industry, the Treasury said. The cybersecurity sector first noticed Andariel in about 2015, saying it consistently executes cybercrime to generate revenue, according to the Treasury. 

The group targets the  South Korean government and military personnel in an effort to gather intelligence, the Treasury said. In one case, the group intruded into the South Korean defense ministry’s intranet and the personal computer of the defense minister to extract intelligence on military operations.

North Korean cyber operations have also targeted virtual asset providers and cryptocurrency exchanges to, according to the Treasury, possibly assist in obfuscating revenue streams and thefts that potentially fund North Korean ballistic missile and weapons of mass destruction programs. The three groups have likely stolen around $571 million in cryptocurrency alone, the Treasury said.

Lazarus Group was able to steal credentials for cryptocurrency wallets and exchanges by infecting victims of interest with malware such as Gh0st RAT that allowed operators to take full control of a target’s device, according to a California-based cybersecurity research firm. The Lazarus Group operator using Gh0st RAT was Andariel, South Korean investigators found. In 2017, Andariel seized a South Korean company server and used it to mine cryptocurrency, according to the latest United Nations Panel of Experts report on North Korea, which cited Bloomberg News.

Alleged North Korean hacker Park Jin Hyok was part of Lazarus Group, according to a June 2018 U.S. criminal complaint. Park was sanctioned in September 2018 along with his employer, Korea Expo Joint Venture. The company operated online gambling sites in the 2000s, Kharon reported in March. Park is on the Federal Bureau of Investigation’s most wanted list.

North Korea has sent hundreds of hackers to neighboring countries over recent years, according to an April 2018 Bloomberg Businessweek report citing South Korean government experts. Hackers from North Korea in Nepal acting under the name of Yong Bong Chand I.T. Company, registered as a software development and data processing company, were reported in Nepalese media as having worked for Lazarus Group.


Kharon research

Log in for access to the latest updates and analysis on networks targeted by sanctions and sanctions-related risk. Don’t have an account? Click REQUEST AN ACCOUNT to receive information on how to get signed up.

Request an account or Log in