WASHINGTON – The U.S. sanctioned three North Korean state-sponsored groups that it says were responsible for hacking the Swift interbank messaging system and a ransomware attack called WannaCry 2.0 that crippled Britain’s National Health Service and Renault SA factories across Europe.
The Treasury Department said Friday the hacking groups are commonly known as Lazarus Group, Bluenoroff and Andariel. The groups are controlled by North Korea’s primary intelligence bureau, Treasury said in a statement.
The U.S. said the attacks have been used to fund illicit weapon and missile programs by North Korea, which is under broad American sanctions over the hermit country’s nuclear program.
“We will continue to enforce existing U.S. and U.N. sanctions against North Korea and work with the international community to improve cybersecurity of financial networks,” Sigal Mandelker, Treasury’s under secretary for terrorism and financial intelligence, said in a statement.
Almost no progress has been made toward an agreement on North Korea’s nuclear program despite three meetings between President Donald Trump and Kim Jong Un. After their latest meeting, the U.S. said Kim had agreed to begin detailed negotiations by mid-July. Those talks are not known to have happened.
The sanctions build on U.S. government efforts to call out foreign hackers, including charges and sanctions imposed on an alleged member of the Lazarus Group last year.
The Justice Department in 2018 filed criminal charges against a North Korean national who it alleged belonged to the Lazarus Group. The person, Park Jin Hyok, was charged with crimes stemming from the 2014 hack on Sony Pictures Entertainment and the 2017 WannaCry ransomware operation, which Treasury called on Friday “the biggest known ransomware outbreak in history.” The Treasury Department simultaneously imposed sanctions against Park and his employer.
In the WannaCry attack, the Lazarus Group was involved in infecting computers with malicious software that encrypted data and demanded ransom payments from users to be released. The attack shut down roughly 300,000 computers in at least 150 countries, with one of the victims — the United Kingdom’s National Health Service — losing $112 million, according to the Treasury.
The cyberattack on Sony Pictures was seen at the time as representing a new, aggressive type of hacking because Lazarus Group hackers crippled computers, deleted data and released embarrassing internal emails in retaliation for the company’s film “The Interview,” a comedy about a Central Intelligence Agency plot to kill Kim.
“Lazarus Group targets institutions such as government, military, financial, manufacturing, publishing, media, entertainment, and international shipping companies, as well as critical infrastructure, using tactics such as cyber-espionage, data theft, monetary heists, and destructive malware operations,” according to Treasury’s Friday statement.
The new sanctions also targeted two subgroups within Lazarus, which are known in the private sector as Bluenoroff and Andariel.
The Bluenoroff group within Lazarus “conducts malicious cyber activity in the form of cyber-enabled heists against foreign financial institutions on behalf of the North Korean regime to generate revenue, in part, for its growing nuclear weapons and ballistic missile program,” in the face of increased global sanctions, according to the Treasury statement. It cited private-sector and press reports that the group had attempted to steal $1.1 billion from financial institutions.
The second group within Lazarus that was targeted by Treasury on Friday was Andariel, which “focuses on conducting malicious cyber operations on foreign businesses, government agencies, financial services infrastructure, private corporations, and businesses, as well as the defense industry” including by hacking ATMs and hacking South Korean government and military targets for intelligence gathering, according to Treasury, which cited private-sector reporting.
John Hultquist, the director of intelligence analysis at the cybersecurity firm FireEye said that, over the last four years, his company has “witnessed North Korea’s cyber-espionage apparatus grow into a significant state-run criminal venture.”
“Though these operations may fund the hackers themselves, their sheer scale suggests that they are a financial lifeline for a regime that has long depended on illicit activities to fund itself,” Hultquist said in a statement. “This activity appears to be very lucrative, and the choice for the cash-strapped regime to give it up will be a hard one.”