US Treasury Levies Sanctions Against North Korean Group Behind 2017 WannaCry Ransomware

Lazarus Group and its two subdivisions also sanctioned, all responsible for numerous hacks

Last Friday, September 13, the Treasury’s OFAC (Office of Foreign Assets Control) department named three hacking groups sponsored by North Korea, the Lazarus Group and what’s believe to be two of its subgroups, Bluenoroff and Andariel. The US believes all are sponsored by North Korea’s primary intelligence agency, fueled by the goal of funding the country’s illicit nuclear weapons program.

Months after it circulated, the US determined that North Korea's Lazarus Group was responsible for the WannaCry ransomware attacks in 2017. The WannaCry worm brought utter chaos and destruction to numerous businesses, healthcare organizations, critical infrastructure and more. The nature in which it spread was unprecedented, shutting down more than 300,000 computers in 150 countries. (See our blog, It's official: North Korea Is behind Wannacry.) The hacking tools used in WannaCry (Eternal Blue and others) have continued to morph and do damage around the globe ever since. (See EternalBlue reaching new heights since WannaCry outbreak.)

Guilty of More Than WannaCry Ransomware

In addition WannaCry, Lazarus Group was also behind the 2014 cyberattacks on Sony. The attack impacted the release of the movie, “The Interview,” which was known to ridicule North Korean ruler Kim Jong-un. The hack cost Sony both in dollars and in reputation. The group has also targeted other government agencies and business worldwide.

Lazarus Group subsidiaries, Bluenoroff and Andariel, have a history of attacks attributed to them as well. Bluenoroff is guilty of theft against financial institutions, stealing more than $1.1 billion in 2016 by taking advantage of vulnerabilities in the SWIFT financial system. They’re also known to have carried out bitcoin raids during crypto currency exchanges. The Treasury noted one particular attack where the group struck the Central Bank of Bangladesh, stealing $80 million from their New York Federal Reserve account. Their methods aren’t original – they’ve used phishing attacks and backdoor intrusion.

Andariel set its sites on businesses, government agencies and others in various places including South Korea. They’ve hacked military intel and stolen ATM and bank card data. Like Lazarus Group, Andariel and Bluenoroff’s goal is to support North Korea’s nuclear weapons and ballistic missile development.

OFAC Levies Sanctions on All Three Hacking Syndicates

The Treasury sanctions forbid the North Korean groups from accessing any US property, as well as block US citizens and residents from doing any business interactions with the named groups. Foreign financial institutions are banned from facilitating any transactions with the groups.

Sigal Mandelker, the Treasury department’s under secretary for terrorism and financial intelligence, said, “Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs. We will continue to enforce existing U.S. and U.N. sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

North Korea itself is also already under steep and long term global sanctions for its nuclear weapons development. So much so that it can’t engage with other countries in the usual means of commerce and trade for income. Instead, it engages in these illegal hacks to steal the money it needs to fund its nuclear program.

North Korean Hacking Tools on VirusTotal Website

Just one week prior to the sanctions, the US Cyber Command placed close to a dozen samples of malware associated with North Korean hacking tools on the VirusTotal website. The security research community makes use of this information to stay informed and alert other businesses, agencies and possible victims to development threats.

A US Representative from Rhode Island and Chair of the House of Armed Services Committee said, “Malicious cyber actors around the world need to know that they cannot act with impunity and that the United States will use all instruments of national power to counter their activity.”

Further resources:

It's official: North Korea is behind Wannacry

EternalBlue reaching new heights since WannaCry outbreak

Protecting server endpoints against Wannacry

Solution Brief: Protection Against Advanced Web Attacks

White Paper: Making Applications Truly Self-Defending