The US Treasury Department sanctioned four North Korean entities and one individual for their involvement in malicious cyber activities that helped to Pyongyang to raise money to support its weapons program.
The list of sanctioned entities includes Pyongyang University of Automation, described by the authorities as “one of the DPRK’s premier cyber instruction institutions,” Technical Reconnaissance Bureau, and the 110th Research Center - two other entities controlled by the Reconnaissance General Bureau (RGB), North Korea’s primary intelligence service and main entity responsible for the country’s malicious cyber activities.
Technical Reconnaissance Bureau leads the DPRK’s development of offensive cyber tactics and tools and operates several departments, including those affiliated with the Lazarus Group, one of the most well-known hacker groups linked to North Korea.
The 110th Research Center has conducted cyber operations against networks worldwide, including the campaign known as DarkSeoul, which destroyed thousands of financial sector systems and resulted in outages at the top three media companies in South Korea.
The US Treasury also sanctioned Chinyong Information Technology Cooperation Company and one of its executives, Kim Sang Man, for their involvement in North Korea’s program to have IT specialists falsify their identities to obtain employment in wealthier countries in order to fund North Korea’s weapons program.
This week, SentinelLabs detailed an ongoing cyber-espionage campaign by a North Korean APT group tracked as Kimsuky, targeting North Korea-focused information services, human rights activists, and DPRK-defector support organizations. The campaign involves a variant of the RandomQuery malware that has the single objective of file enumeration and information exfiltration.
Kimsuky distributes RandomQuery using Microsoft Compiled HTML Help (CHM) files.