The Treasury Department on Friday sanctioned Lazarus Group, a North Korean hacking organization, and two of its subsidiaries for generating revenue by illicit means in order to facilitate Pyongyang’s weapon and missile programs. Unlike previous U.S. sanctions on North Korean hackers, the latest designations target individual hacking units within the regime rather than the larger government bodies that oversee them. Nevertheless, the U.S. move will likely prove insufficient to deter North Korea’s cyber operations.
Treasury noted that Pyongyang’s primary intelligence agency, the Reconnaissance General Bureau (RGB), controls the state-sponsored Lazarus Group and its subsidiaries, Blueneroff and Andraiel. The RGB, which controls North Korea’s cyber activities, reports directly to the regime’s highest decision-making body, the State Affairs Commission, which Kim Jong Un personally oversees. The United States and the United Nations sanctioned the RGB in 2015 and 2016, respectively.
The U.S. government and private cybersecurity companies have attributed several major North Korean cyberattacks to the Lazarus Group, such as the Sony Pictures hack of 2014 and the WannaCry ransomware attack of 2017. According to Treasury, Lazarus has harmed a wide range of victims, including government, military, and financial institutions, as well as critical infrastructure. Treasury also noted that Lazarus employs a range of tactics, from espionage and data theft to money heists and destructive malware operations.
For instance, the WannaCry attack combined extortion with malware operations. The attack had no specific target but instead infected over 230,000 computers worldwide with a virus that would encrypt 176 unique files and force the user to pay a $300 ransom in Bitcoin to decrypt them. This operation was unique because it exploited Eternal Blue malware that infected any computer without the requisite virus protection software.
Blueneroff and Andraiel, by contrast, have focused primarily on banks and financial institutions. Blueneroff targeted the Bank of Bangladesh in 2017, in which the hackers aimed to steal $1 billion but managed to only take $81 million. According to an August 2019 report by a UN Panel of Experts, North Korean cyber operatives have attempted to steal as much as $2 billion since late 2015 to fund its weapons of mass destruction programs.
While justified, the new U.S. sanctions are largely symbolic. North Korean hacking groups, even prolific ones, are unlikely to have traditional bank accounts that Washington can freeze.
Treasury should therefore turn its attention to the front companies and foreign banks that directly finance the RGB and enable the Kim regime’s illicit activities. One potential target is a Malaysian company called Glocom. According to the UN Panel of Experts, Glocom has operated an “extensive network of individuals, companies and offshore bank accounts” to “procure, market, and sell arms and related material” to finance the RGB.
With a potential resumption of bilateral working-level talks between Washington and Pyongyang on the horizon, it is imperative that the U.S. build on Treasury’s latest action by targeting Lazarus’ financiers. This would provide the U.S. with more leverage in negotiations to compel Pyongyang to compromise.
Mathew Ha is a research associate focused on North Korea at the Foundation for the Defense of Democracies (FDD), where he also contributes to FDD’s Center on Economic and Financial Power (CEFP) and Center on Cyber and Technology Innovation (CCTI). Follow Mathew on Twitter @MatJunsuk. Follow FDD on Twitter @FDD and @FDD_CEFP. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.