North Korean hacking groups hit with Treasury sanctions


The Department of the Treasury hit three North Korean groups with new sanctions Sept. 13 for conducting cyberattacks against critical infrastructure, including the infamous WannaCry ransomware attacks.

Treasury's Office of Foreign Asset Control announced that Lazarus Group, an advanced persistent threat believed to be working at the behest of the North Korean government and two of its subgroups, dubbed Bluenoroff and Andariel, will have any U.S.-based or adjacent assets frozen and any organizations or financial institutions that do business with them are also at risk for designation.

"We will continue to enforce existing U.S. and UN sanctions against North Korea and work with the international community to improve cybersecurity of financial networks," said Sigal Mandelker, undersecretary for terrorism and financial intelligence at Treasury in a statement.

Lazarus Group was identified by U.S. officials in late 2017 as the group responsible for unleashing WannaCry, which wrought havoc across hospital and health care organizations in the United Kingdom and other countries, as well as the 2014 Sony hack.

According to research from numerous threat intelligence firms, Bluenoroff is known for targeting financial institutions around the globe, including a 2016 heist that leveraged vulnerabilities in the SWIFT financial system to steal nearly $1 billion in illegal wire transfers from the Bank of Bangladesh. Andariel has focused on businesses, governments and other institutions in South Korea and other places, stealing bank and ATM card information and pilfering military secrets. All three groups are accused on conducting malicious cyber operations designed to steal money in order to fund North Korea's missile and weapons programs.

Financially-motivated cyberattacks are a key source of income for the North Korean government, which is already subject to significant global sanctions that prevent the regime from engaging in most normal forms of commerce with Western and other countries. The United States and its allies, on the other hand, have made a concerted effort in recent years to bring all intelligence, diplomatic and other resources to bear in order to identify and punish state-sponsored hacking groups.

Dmitri Alperovich, chief technology officer for threat intelligence firm Crowdstrike, said the sanctions were "yet another indication" of how much speedier the U.S. and other nations have become at identifying and attributing malicious cyber activity to specific actors and nations.

"A few years ago, this type of action would have been unprecedented. Today it is routine," said Alperovich.

John Hultquist, Director of Intelligence Analysis and FireEye, said the "sheer scale" of financially motivated attacks from these groups indicate that they are a key source of revenue for Pyongyang and that sanctions may not serve as an effective deterrent for a government like North Korea that lacks other options to fill the void.

"Even if they were to take a lighter hand to the U.S., much of their criminal activity takes place beyond the U.S. in countries who may not have the same ability to change North Korea's behavior," said Hultquist. "It's also important to remember that this activity appears to be very lucrative, and the choice for the cash-strapped regime to give it up will be a hard one."

The sanctions come less than a week after U.S. Cyber Command uploaded nearly a dozen malware samples associated with North Korean hacking tools onto the website VirusTotal. Doing so makes it easier for the broader security research community to identify and share indicators of those tools with businesses, governments and other potential victims and mitigate future attacks.

Representative Jim Langevin (D-R.I.), Chair of the House Armed Services Committee, released a statement following the actions congratulating Treasury and CyberCom and urging further action to curb North Korean cyber operations.

"Responsible nations do not engage in this kind of destabilizing behavior, and we must take action to hold irresponsible states accountable," said Langevin. "Malicious cyber actors around the world need to know that they cannot act with impunity and that the United States will use all instruments of national power to counter their activity."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.