The Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions on Friday against three North Korean cyber groups for targeting critical infrastructure.
OFAC identified the Lazarus Group and two of its subsidiaries, Bluenoroff and Andariel, as “agencies, instrumentalities, or controlled entities of the Government of North Korea,” noting that all three groups are controlled by RGB, North Korea’s main intelligence bureau.
As a result of the sanctions, the three groups have been blocked from accessing any property within the United States, and U.S. citizens and residents are banned from doing any type of business with the groups.
“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” Sigal Mandelker, the Treasury under secretary for Terrorism and Financial Intelligence, said in a statement. “We will continue to enforce existing U.S. and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”
According to OFAC, the Lazarus Group has been active in cyberattacks around the world since being created by the North Korean government in 2007. It was responsible for the cyberattack on Sony Pictures in 2014 stemming from the release of “The Interview,” a film that mocked the North Korean government.
The Lazarus Group was also involved in the WannaCry 2.0 ransomware virus in late 2017, which impacted at least 150 countries and encrypted or shut down about 300,000 computers.
This became one of the largest ransomware attacks in history after the United Kingdom’s National Health Service (NHS) was attacked, impacting about 8 percent of general medical practices in the U.K., and costing the NHS an estimated $112 million to recover.
OFAC alleged that Bluenoroff was created by the North Korean government with the goal of earning revenue to get around sanctions placed on the country. By 2018, the group had attempted to steal about $1.1 billion from banks in countries including Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile and Vietnam.
In one alleged incident, Bluenoroff and Lazarus worked together to steal roughly $80 million from the Central Bank of Bangladesh’s New York Federal Reserve account.
Andariel was focused on targeting South Korea’s government and critical infrastructure in order to collect information and “create disorder,” according to OFAC. In one 2016 incident, Andariel was involved in hacking into the personal computer of the South Korean defense minister and the Defense Ministry’s intranet to extract information about military operations.
OFAC noted that the three groups likely stole about $571 million in cryptocurrency between January 2017 and September 2018 as part of North Korea’s targeting of cryptocurrency exchanges to fund its weapons of mass destruction and ballistic missile programs.
OFAC emphasized that the sanctioning of the groups was part of a “government-wide” effort to protect U.S. financial systems and critical infrastructure against North Korean cyber threats, with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and U.S. Cyber Command also involved in the effort.
At least one member of Congress praised the sanctions. Rep. Jim Langevin (D-R.I.), the chairman of the House Armed Services subcommittee on intelligence and emerging threats and capabilities, said in a statement that he “congratulated” Treasury Secretary Steven Mnuchin for the decision to impose sanctions.
“Responsible nations do not engage in this kind of destabilizing behavior, and we must take action to hold irresponsible states accountable,” Langevin said. “Malicious cyber actors around the world need to know that they cannot act with impunity and that the United States will use all instruments of national power to counter their activity.”
-Updated at 12:40 p.m. to include statement from Rep. Langevin