Security news that informs and inspires
North Korean flag

U.S. and Allies Sanction Kimsuky Actors

The United States government, along with three foreign partners, sanctioned alleged members of Kimsuky, a North Korean state-sponsored hacking group that is believed to be responsible for a long list of campaigns against entities in the U.S., South Korea, Russia, Japan, and many European countries.

The sanctions are a direct response to North Korea’s launch of a reconnaissance satellite on Nov. 21, and are designed to damage that country’s economic and military programs. Kimsuky is one of many cyberespionage and APT groups associated with the North Korean government that works to steal intellectual property, cryptocurrency, and other valuable assets to support the government’s weapons programs, according to the Department of the Treasury. As part of Thursday’s actions, the Office of Foreign Asset Control designated eight North Korean nationals, alleging that they are involved in weapons procurement, money laundering, and other illicit activities on behalf of the North Korean government.

“The DPRK’s use of overseas laborers, money launderers, cyber espionage, and illicit funding continue to threaten international security and our allies in the region. We will remain focused on targeting these key nodes in the DPRK’s illicit revenue generation and weapons proliferation,” said Treasury Under Secretary for Terrorism and Financial Intelligence Brian E. Nelson.

Along with the U.S., Australia, Japan, and South Korea all joined in the sanctions.

Kimsuky is a venerable and highly active APT team that works under the auspices of the North Korean government’s Reconnaissance General Bureau, an agency that OFAC designated 13 years ago. The group typically relies on highly targeted spear phishing campaigns and usually goes after victims in think tanks, government agencies, media organizations, and academic institutions. It’s not the stealthiest or most advanced team working from North Korea, but Kimsuky has been active since at least 2012 and has more than its fair share of successes. Like other North Korean state-backed threat groups, Kimsuky’s activities help support the government’s military and weapons programs, which in recent years has suffered under sanctions from the United Nations.

One of the country’s main sources of funding for these programs has become cryptocurrency, much of it lifted from individual victims, exchanges, and organizations around the world, according to the U.S. government’s sanctions. Thursday’s sanctions are meant to further disrupt the country’s ability to generate revenue to fund its weapons programs and military operations.

“Today’s actions target the DPRK’s access to revenue and weapons, generated through state-owned entities, banks, and trading companies, specifically through their globally deployed trade and bank representatives. These individuals provide critical access to foreign technology vital to the DPRK’s domestic weapons program and enable DPRK revenue generation through access to the international financial system. A portion of the revenue from these activities has been funneled towards domestic WMD-related technology and missile systems,” the statement from the Treasury Department says.

The eight individuals sanctioned Thursday are Kang Kyong Il, Ri Sung Il, Kang Phyong Guk, So Myong, Choe Un Hyok, Jang Myong Chul, Choe Song Chul, and Im Song Sun. The Treasury Department alleges that the individuals are involved in arms sales, cyber espionage, and illicit financial transactions around the world.

The new sanctions are part of a recent push by the federal government to use whatever means it has at its disposal to disrupt the activities of APT groups and cyber espionage teams working on behalf of foreign governments. The U.S. has sanctioned many other North Korean nationals in recent years, as well as Russian and Iranian nationals alleged to be part of state-backed attack teams that have targeted U.S. entities.

These sanctions have little immediate effect on the individuals and companies they’re associated with, however. The North Korean administration tends not to pay much attention to what western governments do, and are unlikely to curb any of their ongoing activities as a result of these sanctions. But, the move does show the continued commitment from the U.S. government and its allies to shining as much light as possible on the cyber espionage activities of the DPRK.