The United States Treasury Department levied economic sanctions on a score of North Korean entities and one individual central to the rogue state’s illicit online activities, the same day research emerged about the latest targeted cyberattacks carried out by a North Korean espionage threat group.
The U.S. Treasury announced on May 23 it sanctioned four entities and one North Korean national who are alleged to be involved in training hackers, carrying out cyberattacks, and running a clandestine international IT workforce.
Treasury’s Office of Foreign Assets Control levied sanctions against Pyongyang University of Automation, which it said trains hackers who often go on to work for the DPRK’s main offensive cyber branch, the Reconnaissance General Bureau (RGB).
It also sanctioned the RGB’s Technical Reconnaissance Bureau (TRB) and its cyber unit, the 110th Research Center, along with DPRK-based Chinyong Information Technology Cooperation Company and one of its representatives, Kim Sang Man.
Chinyong, believed to be an arm of the Ministry of People’s Armed Forces, North Korea’s defense agency, sends delegations of IT workers to countries like Russia and Laos, where some can earn salaries up to $300,000 a year to send money back to the regime.
U.S. officials said they believe Kim, a North Korean national based in Vladivostok, Russia, is an agent of the RBG who buys and acquires IT equipment on behalf of the regime and helps send payments to family members of IT workers overseas. He also helps to route cryptocurrency payments to Pyongyang, transferring at least $2 million in funds sent by IT workers in Russia and China in 2021.
OFAC said the TRB leads North Korea’s development of offensive cyber tactics and tools, operating several departments including those affiliated with the Lazarus Group, while Chinyong employs North Korean IT workers operating in Russia and Laos.
Although unlikely to have any practical impact on North Korea’s cyber exploits, the sanctions enable the government to seize any U.S.-based assets it discovers belonging to the entities. Treasury officials said that, like many hacking campaigns out of Pyongyang, the work of these entities were designed to support the country’s nuclear weapons program, which President Kim Jong Un and military leaders see as key to the regime’s long-term survival.
“Today’s action continues to highlight the DPRK’s extensive illicit cyber and IT worker operations, which finance the regime’s unlawful weapons of mass destruction and ballistic missile programs,” said Brian E. Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence.
DPRK cyber actors stole more virtual currency in 2022 than in any previous year, with estimates ranging from $630 million to over $1 billion, reportedly doubling Pyongyang’s total cyber theft proceeds in 2021.
News of the sanctions coincided with an announcement by the State Department of a May 24 symposium to discuss North Korea’s exploitation of a large network of remote IT workers. The State Department said it would co-host the symposium in San Francisco with South Korea’s Ministry of Foreign Affairs to discuss tackling the DPRK’s evasion of sanctions using its remote IT workforce.
It said the DPRK had thousands of IT workers who took up international freelance employment contracts to help fund the nation’s weapons programs and to gain network access to enable cyberattacks.
“Like other DPRK workers employed in third countries, DPRK remote IT workers may be subjected to forced labor and constant and close surveillance by government security agents,” the State Department said.
“IT workers have also been forced to work 12-16 hours per day, which may be an indicator of forced labor and an abuse of their human rights.”
Kimsuky campaign uses tailored reconnaissance toolkit
Meanwhile, SentinelLabs revealed that Kimsuky, a cyberespionage group believed to have close ties to North Korean leadership, has been laying the groundwork for future attacks by focusing on reconnaissance and stealing system and hardware information. In a May 23 post, the threat research group said the campaign indicates Kimsuky is using a variant of a “constant staple” piece of malware called RandomQuery that has been tweaked for file enumeration and information exfiltration from Windows systems.
“The malware’s ability to exfiltrate valuable information, such as hardware, operating system, and file details, indicates its pivotal role in Kimsuky’s reconnaissance operations for enabling tailored attacks,” wrote Aleksandar Milenkoski, a senior threat researchers at SentinelLabs.
Milenkoski said Kimsuky uses specially crafted phishing emails to deploy RandomQuery. The emails included a Microsoft Compiled HTML Help (CHM) attachment containing a malicious shortcut object that, when clicked, created a Base-64 encoded file in the %USERPROFILE%\Links\ directory.
It decoded the file using the certutil utility, creating a VB script, and then stored the script in a separate file. Persistence was established by editing the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key so the new VB script was executed at system startup.
The VB script issued a HTTP GET request to a command-and-control server URL and executed the second-stage payload returned from the server.
The RandomQuery variant used by Kimsuky set Internet Explorer configurations that enabled the uninterrupted use of the browser by the malware, which then gathered and exfiltrated information about the infected platform.
Exfiltration involved Base64-encoding the gathered information and then constructing and issuing an HTTP POST request containing the information to the command-and-control server URL.
Milenkoski said the persistent attacks carried out by Kimsuky and its “continuously advancing attack toolkit ... underscore the ever-changing landscape of North Korean threat groups, whose remit not only encompasses political espionage but also sabotage and financial threats.”
