US Sanctions North Korean University for Training Hackers

The US Department of the Treasury on Tuesday announced sanctions against four entities and one individual for engaging in malicious cyber activities on behalf of the North Korean government.

North Korean threat actors, such as the infamous Lazarus group, launch malicious campaigns targeting organizations and individuals worldwide to generate illicit revenue to support the Pyongyang regime and its priorities, the US says.

According to the Treasury’s Office of Foreign Assets Control (OFAC), North Korean threat actors are trained at the Pyongyang University of Automation, with many of them landing jobs within units of the Reconnaissance General Bureau (RGB), the country’s primary intelligence bureau.

RGB, which was designated by OFAC in 2015 as being subordinated to the North Korean government, also controls the Technical Reconnaissance Bureau and its cyber unit, the 110th Research Center.

In leading Pyongyang’s development of cyber tools and tactics, the Technical Reconnaissance Bureau operates multiple departments, some affiliated with Lazarus, which the US blamed for a $620 million crypto heist last year.

The 110th Research Center, the US says, is responsible for numerous cyberattacks, including the devastating DarkSeoul campaign, and for the theft of sensitive government information from South Korea, related to military defense and response planning.

“Pyongyang University of Automation, Technical Reconnaissance Bureau, and the 110th Research Center are being designated pursuant to E.O. 13687 for being agencies, instrumentalities, or controlled entities of the Government of North Korea or the Workers’ Party of Korea,” the US announced.

North Korea, the US says, also generates revenue through IT workers who fraudulently obtain employment at organizations worldwide, including in the technology and cryptocurrency sectors.

Mainly located in China and Russia, these workers hide their identities through fake personas and other means to apply for jobs at companies in wealthier countries. These individuals are subordinated to North Korean entities involved in the country’s weapons of mass destruction and ballistic missile programs.

Their work typically differs from North Korea’s malicious cyber activity, but they were seen in some cases supporting the country’s cyber program through privileged access to virtual currency firms.

According to the US, Chinyong Information Technology Cooperation Company (Chinyong), also known as Jinyong IT Cooperation Company, which is associated with the Ministry of Peoples’ Armed Forces, and North Korean national Kim Sang Man, are involved in such IT worker activities.

“Pursuant to E.O. 13687 and E.O. 13810, all property and interests in property of the persons named above that are in the United States, or in the possession or control of U.S. persons, are blocked and must be reported to OFAC. In addition, any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked,” the US says, warning that sanctions may be slapped on any organization or individuals associated with these entities.

Related: North Korean Hackers Target Mac Users With New ‘RustBucket’ Malware

Related: North Korean 3CX Hackers Also Hit Critical Infrastructure Orgs: Symantec

Related: Mandiant Also Links 3CX Supply Chain Attack to North Korean Hackers