At the end of the week, the US Treasury announced that imposes sanctions on three groups of “government” hackers from North Korea (Lazarus, Bluenoroff, and Andarial), who launched a series of devastating attacks on critical US infrastructure and stole hundreds of millions of dollars from financial institutions around the world. U.S. authorities claim that the stolen funds were used by the North Korean government to finance weapons programs and create missiles.
The sanctions imposed by the U.S. Foreign Assets Control Office are designed to block any foreign financial institutions that knowingly facilitate large transactions or provide other services to these hack groups, as well as freeze any assets associated with them.
The most famous of the three hack groups is undoubtedly Lazarus, aka Hidden Cobra. It is believed that it is the largest and operates under the direct supervision of the Main Intelligence Directorate of North Korea.
One of the most famous campaigns that I attribute to this group is the hacking of Sony Pictures Entertainment in 2014, as well as the WannaCry ransomware epidemic in 2016. However, treasury officials say Lazarus also targets state, military, financial, manufacturing, publishing, media, entertainment, and shipping companies, as well as critical infrastructure.
The second group, Bluenoroff (aka APT38 or Stardust Chollima), according to US authorities, was created specifically for hacking banks and financial institutions, and became a kind of response of the North Korean government to the strengthening of global sanctions. Since 2014, this group has robbed a number of financial institutions in Bangladesh, India, Mexico, Pakistan, the Philippines, South Korea, Taiwan, Turkey, Chile and Vietnam. The most famous hack in the Bluenoroff account remains a failed attempt to steal a billion dollars from the Central Bank of Bangladesh, which failed due to a typo.
The third group, Andarial, has been active since 2015 and, according to Treasury officials, often mixes cyber espionage with other operations. It is reported that this hack group often attacks South Korea’s infrastructure “to collect information and provoke unrest,” but also participated in the theft of bank cards, hacking ATMs to extract cash, and also stole user data for subsequent sale on the black market. In addition, Andarial is developing a unique malware to compromise online poker sites and other gambling.