Treasury Department sanctions entities tied to North Korean IT scams, hacking

The Treasury Department issued sanctions on Tuesday cracking down on four entities and one individual involved in malicious cyber activities supporting the Democratic People’s Republic of Korea and its weapons programs.

“Today’s action continues to highlight the DPRK’s extensive illicit cyber and IT worker operations, which finance the regime’s unlawful weapons of mass destruction and ballistic missile programs,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States and our partners remain committed to combatting the DPRK’s illicit revenue generation activities and continued efforts to steal money from financial institutions, virtual currency exchanges, companies, and private individuals around the world.”

One of the sanctioned entities, Pyongyang University of Automation, is responsible for training individuals who go on to work for DPRK’s primary intelligence bureau, Reconnaissance General Bureau. Treasury’s Office of Foreign Assets Control also designated two other RGB-controlled operation centers leading offensive cyber operations. The centers had affiliations with the Lazarus Group, a hacking group also sanctioned by OFAC and known for a massive 2022 heist of $620 million in virtual currency from a blockchain project.

North Korea’s use of malicious cyber activity to evade international sanctions, including its mounting cryptocurrency heists, has become a growing problem for U.S. national security.

Earlier this month, Anne Neuberger, deputy national security adviser for cyber and emerging technology, remarked that malicious cyber activity including virtual currency theft funded roughly half of North Korea’s missile program. In March, a United Nations report found that DPRK cyber actors stole upward of $1 billion in virtual currency in 2022, more than double the previous year. In recent months, researchers have noted that DPRK hackers behind these attacks have expanded their targets and turned to novel techniques to evade detection.

Treasury also sanctioned Chinyong Information Technology Cooperation Company and an associated DPRK national, Kim Sang Man, for their involvement in North Korea’s program to have IT specialists falsify their identities to gain work in wealthier countries in order to fund North Korea’s weapons program. The Treasury Department noted some overlap in activity between the IT workers and malicious cyber actors, a trend also observed by private sector researchers.

“While they do engage in some legitimate IT work, we’ve also seen North Korean espionage actors attempt to leverage insider access to collect sensitive information and further the national interests of the country,” Michael Barnhart, a principal analyst for Mandiant at Google Cloud, told CyberScoop in an email. “While these sanctions probably won’t put a huge dent in the country’s overall funding efforts, it’s imperative that we keep the pressure on these actors and expose their evolving fundraising schemes.”

The sanctions were coordinated with the Republic of Korea, which jointly designated two of the sanctioned parties. Three of the entities were previously sanctioned by South Korea in February.

Separately on Tuesday, OFAC sanctioned several crypto wallets hosted by the Binance exchange that it alleged had ties to North Korea’s weapons program.

Updated May 23, 2023: To include a comment from Mandiant.