Pierluigi Paganini
May 24, 2023
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against four entities and one individual for their role in malicious cyber operations conducted to support the government of North Korea.
“The DPRK conducts malicious cyber activities and deploys information technology (IT) workers who fraudulently obtain employment to generate revenue, including in virtual currency, to support the Kim regime and its priorities, such as its unlawful weapons of mass destruction and ballistic missile programs.” reads the announcement.
The sanctioned entities conducted operations to steal funds to support the military strategy of the regime.
In December 2022, South Korea’s spy agency, the National Intelligence Service, estimated that North Korea-linked threat actors have stolen an estimated 1.5 trillion won ($1.2 billion) in cryptocurrency and other virtual assets in the past five years.
According to the spy agency, more than half the crypto assets (about 800 billion won ($626 million)) have been stolen this year alone, reported the Associated Press.
The NIS added that more than 100 billion won ($78 million) of the total stolen funds came from South Korea.
Cyber security and intelligence experts believe that attacks aimed at the cryptocurrency industry will continue to increase next year. National Intelligence Service experts believe that North Korea-linked APT groups will focus on the theft of South Korean technologies and confidential information on South Korean foreign policy and national security.
Data published by the National Intelligence Service agency confirms a report published by South Korean media outlet Chosun early this year that revealed North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years.
According to local media, US federal prosecutors believe that North Korea’s government considers cryptocurrency a long-term investment and it is amassing crypto funds through illegal activities.
In a classified report cited by Chosun, the US National Intelligence Service (DNI) found that North Korea was financing its ‘priority policies’, such as nuclear and missile development, through cybercrime. Government experts noticed that nation-state actors are not immediately cashing out all the stolen crypto to create a crypto fund reserve.
“Today’s action continues to highlight the DPRK’s extensive illicit cyber and IT worker operations, which finance the regime’s unlawful weapons of mass destruction and ballistic missile programs,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. “The United States and our partners remain committed to combatting the DPRK’s illicit revenue generation activities and continued efforts to steal money from financial institutions, virtual currency exchanges, companies, and private individuals around the world.”
According to the announcement, Pyongyang University of Automation was involved in the training of threat actors, including members of the bureaus directed by the Reconnaissance General Bureau (RGB), with is the core infrastructure in the military structure of Pyongyang.
OFAC also sanctioned the Technical Reconnaissance Bureau and its subordinate cyber unit, the 110th Research Center. The Technical Reconnaissance Bureau leads the DPRK’s development of offensive cyber tactics and tools and coordinates the activities of several departments, including those affiliated with the Lazarus Group.
The 110th Research Center conducted cyber campaigns targeting networks worldwide, in 2013 it carried out a hacking campaign, tracked as DarkSeoul, which destroyed thousands of systems of organizations in the financial sector. The 110th Research Center was also involved in the theft of sensitive government information from entities in South Korea.
The DPRK also deployed IT workers in companies worldwide, including in the technology and virtual currency industries, to generate significant revenues.
The North Korean government maintains a workforce of thousands of highly skilled IT workers around the world, most of them located in the People’s Republic of China and Russia. The revenue generated by these experts contributes to the government’s unlawful WMD and ballistic missile programs. According to the announcement, each worker can earn more than $300,000 per year.
“These workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation to apply for jobs at these companies. They target employers located in wealthier countries, utilizing a variety of mainstream and industry-specific freelance contracting, payment, and social media and networking platforms.” continues the announcement. “Applications and software developed by DPRK IT workers span a range of fields and sectors, including business, health and fitness, social networking, sports, entertainment, and lifestyle.”
The US Department of the Treasury also states that the Chinyong Information Technology Cooperation Company (Chinyong), aka Jinyong IT Cooperation Company, is involved in the IT worker activities.
Chinyong is associated with the Ministry of Peoples’ Armed Forces, and North Korean national Kim Sang Man.
“As a result of today’s action, pursuant to E.O. 13687 and E.O. 13810, all property and interests in property of the persons named above that are in the United States, or in the possession or control of U.S. persons, are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” concludes the annoucement. “In addition, persons that engage in certain transactions with the individuals or entities designated today may themselves be exposed to designation. Furthermore, any foreign financial institution that knowingly facilitates a significant transaction or provides significant financial services for any of the individuals or entities designated today could be subject to U.S. correspondent or payable-through account sanctions.”
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, DPRK)
