The Washington PostDemocracy Dies in Darkness

U.S. imposes sanctions on North Korean hackers accused in Sony attack, dozens of other incidents

People walk past a TV screen showing a poster of Sony Pictures’ "The Interview" in a news report in Seoul in 2014.
People walk past a TV screen showing a poster of Sony Pictures’ "The Interview" in a news report in Seoul in 2014. (Ahn Young-Joon/AP)

The Trump administration on Friday imposed sanctions on a notorious, if opaque, constellation of North Korean hackers believed to be responsible for dozens of cyberattacks around the world, including the 2014 hacking of Sony Pictures.

The sanctions targeted what is known as the Lazarus Group and two subgroups dubbed Bluenoroff and Andariel. The Treasury Department said all three are controlled by North Korea’s primary intelligence agency, the Reconnaissance General Bureau (RGB).

The announcement comes a month after a U.N. panel said North Korea had stolen up to $2 billion from financial institutions and cryptocurrency exchanges through cyberattacks and used the proceeds to fund programs developing weapons of mass destruction.

North Korea has denied allegations of orchestrating cyberattacks and cyberheists.

Security experts believe the Lazarus Group stepped up its activity after U.N. sanctions were imposed on North Korea over its nuclear program, effectively starving the government of revenue.

“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” said Sigal Mandelker, the Treasury Department’s undersecretary for terrorism and financial intelligence, in a statement. “We will continue to enforce existing U.S. and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks.”

The Treasury Department said the North Korean hackers had targeted governments, the military, financial institutions, entertainment and manufacturing companies, international shipping companies and critical infrastructure.

It was not the first time Washington has hit Pyongyang with sanctions over cybercrimes, nor is it likely to be the last.

“This is yet another indication of how forward-leaning the U.S. government’s position has become in a relatively short period of time on doing attribution of malevolent cyber actors,” said Dmitri Alperovitch, co-founder and chief technology officer of CrowdStrike, a cybersecurity firm that has tracked North Korean hacking groups for more than a decade. “A few years ago, this type of action would have been unprecedented. Today it is routine.”

It is unclear how much impact the sanctions will have.

In November 2014, the Lazarus Group — specifically Andariel — wiped data off 3,000 Sony computers, released embarrassing emails, and threatened violence and more attacks if Sony did not pull a satirical film depicting the assassination of North Korean leader Kim Jong Un.

The Treasury Department imposed sanctions on the RGB after the attack, but the malicious acts continued.

Last year, the Justice Department charged Park Jin Hyok, an alleged North Korean government hacker in connection with the attempted cybertheft of $1 billion from the Bangladesh Bank in 2016, the Sony attack and the WannaCry virus.

The RGB was involved in the WannaCry ransomware attack that affected 300,0000 computers in more than 150 countries in 2017, the largest ransomware attack in history.

U.S. declares North Korea carried out WannaCry attack

And from about 2014 to the present, Bluenoroff has continued to carry out cyber heists against foreign banks to generate revenue for the cash-starved regime, in particular to fund its nuclear weapons and ballistic missile programs, the government said. According to industry experts, by last year Bluenoroff had attempted to steal more than $1.1 billion from banks and had successfully carried out such operations in Bangladesh, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, Chile and Vietnam.

The same group also targeted the SWIFT interbank messaging system and cryptocurrency exchanges such as bitcoin. In one case, according to the Treasury Department, hackers from Bluenoroff and the Lazarus Group requested more than three dozen fund transfers through SWIFT, totaling $851 million. The transfers were foiled only because a typographical error alerted officials to the attempted theft.

Andariel was accused of hacking automatic teller machines to withdraw cash or to steal customer data to sell on the black market. The Treasury Department said Andariel had developed malware to hack online gambling sites and steal cash. The hackers were sophisticated enough to get into the personal computer of South Korea’s defense minister and his agency’s websites to obtain military intelligence.

“Do I think North Korea will change their ways? I think that’s a hard road. I think that’s fairly unlikely,” said John Hultquist, director of intelligence analysis for FireEye, another cyberthreat-analysis firm. He noted that financial cyber theft “is a lifeline for the regime” now. “It’s not really about them projecting power. It’s about them funding themselves to survive.”

Nonetheless, he said: “Calling this stuff out even if we can’t be sure that it will make a difference is worth doing. It illuminates the threat. And anytime we face a threat like this, the best thing the government can do is inform the victims and get the information out there.”

U.S. Cyber Command supported Treasury in the operation by providing North Korean malware samples linked to the cyberattacks, part of the standard coordination between agencies in sanctions cases.

Cyber Command has been sharing more of the intelligence it has gained through operations overseas with the private sector, with the Department of Homeland Security aiding such disclosures.

North Korea has accused Washington of conducting a smear campaign based on lies and for a while threatened to undermine talks between President Trump and Kim.