Government-Sponsored Groups Have Attempted to Steal Nearly $2 Billion, US Officials Say
The U.S. State Department is offering a $5 million reward for information about North Korean-sponsored hacking campaigns.
The reward was described in an advisory notice issued this week by the U.S. departments of Homeland Security, State and Treasury, as well as the FBI and the Cybersecurity Infrastructure and Security Agency. The agencies portrayed the notice as technical guidance and threat intelligence for organizations, especially financial institutions, that might be targeted by North Korean-sponsored hacking.
“North Korea’s malicious cyber activities threaten the United States and countries around the world, and, in particular, pose a significant threat to the integrity and stability of the international financial system,” according to the advisory.
Some security analysts say this week’s advisory was issued to help keep organizations aware of the ongoing threat posed by North Korean-linked groups, especially at a time when the world is consumed with the COVID-19 pandemic and security procedures may have become lax.
“We are the middle of another crisis right now, and you can never really afford to take your eye off North Korea – and lot of the incidents we have seen in the past seemed to have come out of nowhere,” says John Hultquist, senior director of intelligence analysis at security firm FireEye. “They are still very aggressive, and it seems that they are still pursuing their programs.”
Targeting Financial Institutions
In this week’s advisory, officials note that hacking groups tied to North Korea have engaged in a range of cyber activity designed to steal money. These include theft and money laundering activities as well cryptojacking schemes designed to penetrate the networks of cryptocurrency exchanges to steal virtual currencies. The alert also notes that these hacking groups are loaning out their expertise to third parties with the blessing of the North Korean regime to carry out extortion schemes and collect even more money.
“Though we knew that these operators were involved in freelancing and other commercial activity such as software development, we had no evidence that they were carrying out intrusions and attacks on behalf of anyone other than the North Korean regime,” Hultquist says.
U.S. officials say North Korean-sponsored hackers have attempted to steal as much as $2 billion since agencies first started tracking these groups several years ago. This reflects similar findings in a United Nation’s report published in March 2019 (see: UN Report: N. Korea Targets Cryptocurrency Exchanges, Banks).
The North Korean government, because it faces international economic sanctions, uses hacking schemes to raise funds for weapons programs and other purposes, according to U.S. and U.N. officials.
In March, the U.S. Justice Department indicted two Chinese nationals for allegedly laundering $100 million in cryptocurrency stolen from cryptocurrency exchanges by North Korean hackers in 2018 (see: 2 Chinese Nationals Indicted for Laundering Cryptocurrency).
Back in September 2019, the Treasury Department issued sanctions against several hacking groups with alleged ties to the North Korean government.
In this week’s advisory, the agencies urge financial institutions and others to adopt better security measures to mitigate hacker risks. Those include:
- Raising awareness of the threat that North Korean-sponsored hacking activities and cyber intrusions pose;
- Sharing technical information with other organizations as well as government agencies;
- Adopting best practices for security, including the National Institute of Standards and Technology’s Cybersecurity Framework and the Department of Energy’s Cybersecurity Capability Maturity Model;
- Notifying law enforcement of suspected hacking attempts;
- Making sure anti-money laundering and other financial regulations are followed to cut down on the flow of illicit funds.
This week’s alert mainly focuses on the activities of an alleged state-sponsored hacking group known as Hidden Cobra or the Lazarus Group.
In September 2018, U.S. prosecutors charged Park Jin Hyok of North Korea with being part of the group. They alleged that he was one of the main architects of WannaCry and other attacks, including those against Sony and Bangladesh Bank. North Korea and the U.S. do not have a formal extradition treaty, which means that it’s unlikely that Hyok will ever face trial.
Seongsu Park, senior security researcher at Kaspersky, tells ISMG that Lazarus, as well as subgroups associated with it, remain active and continue to target financial institutions, especially cryptocurrency exchanges.
“We continue to track their activities, especially the BlueNoroff [a Lazarus subgroup] attacks that are targeted at cryptocurrency exchanges, fintech companies and other financial businesses,” Park says. “Until recently, they have been attacking the financial sector through several campaigns, and the tools and methodologies they used are rapidly becoming sophisticated.”