South Korea issues first independent sanctions on North's cyber activities

North Korea

Published: 10 Feb. 2023, 16:21

South Korea issues first independent sanctions on North's cyber activities

Lee Joon-il, the Foreign Ministry's director-general for North Korean nuclear affairs, gives a briefing on sanctions on North Korea's illicit cyber activities at the ministry in central Seoul Friday. [YONHAP]

South Korea announced on Friday its first independent sanctions on North Korea to counter its illicit cyber activities. Such activities are believed to be used to fund the country's weapons of mass destruction program.

Four North Korean individuals and seven organizations were blacklisted, according to Seoul's Ministry of Foreign Affairs, for their alleged involvement in cyberattacks and cryptocurrency theft.

These cyber activities, often linked with the Reconnaissance General Bureau, the North's military intelligence agency, are considered one of the Kim Jong-un regime's major sources of funding for its nuclear weapons and missile programs amid stringent international sanctions on the country.

North Korean hackers stole over $1.2 billion in virtual assets since 2017, including $626 million in 2022 alone, according to data released by the Foreign Ministry.

The blacklisted individuals are Park Jin-hyok, Jo Myong-rae, Song Rim and Oh Chung-seong.

Park, the most notorious of the four hackers, is an information technology worker with the Chosun Expo Joint Venture, described as a front company affiliated with North Korea's Lazarus Group. He is known for taking part in a cyberattack on Sony Pictures Entertainment in November 2014 and the WannaCry ransomware attack in 2017. He was blacklisted by the U.S. Treasury in 2018.

The other three individuals were blacklisted for the first time by the South Korean government and are allegedly state-sponsored hackers who took part in cyberattacks, developing viruses or producing phishing applications.

Song is a software developer at Hapjanggang Trading Corporation accused of programming and distributing voice phishing smartphone apps.

Cho was the head of a computer technology research institute under the Reconnaissance General Bureau and developed a new virus capable of attacking computer networks. Oh developed and distributed IT programs for a number of companies through a job platform in Dubai.

The sanctioned organizations include the Lazarus Group, Bluenoroff and Andariel, which are linked to the Reconnaissance General Bureau, blacklisted by the United States since 2019.

Experts point out that the three hacking groups are essentially the same organization under the North's reconnaissance bureau.

Lazarus Group stole nearly $620 million through online game Axie Infinity, a video game that allows players to earn cryptocurrency, in one of the single largest cyber theft cases in 2022. The hacking group has been accused of being behind a series of both small and large-scale cyberattacks over the past decade.

Also newly sanctioned were Chosun Expo Joint Venture, as well as Technical Reconnaissance Bureau, another hacking group under the Reconnaissance General Bureau, which has been blacklisted for the first time in the world by South Korea.

"This marks South Korea's first independent sanctions against North Korea in the cyber field," said Lee Joon-il, director-general for North Korean nuclear affairs at the Foreign Ministry, in a briefing Friday.

"As North Korea's annual exports have decreased by about 100 billion won recently, it has been stealing virtual assets from all over the world, including developing countries and countries friendly to North Korea," said Lee. "This measure is an effort to protect not only our national security, but also the assets of people around the globe."

The U.S. Federal Bureau of Investigation (FBI) poster shows that Park Jin-hyok a North Korea hacker is wanted for multiple cyber attacks. [FBI]

North Korean IT workers can fake their identities and nationalities and eventually get employed at a client company in another country, where they can earn funds to send back to their home country through a proxy bank account.

This marks South Korea's third round of independent sanctions on the North since the launch of the Yoon Suk Yeol administration in May 2022, following the blacklisting of individuals and institutions linked to North Korea's nuclear and missile programs and sanctions evasions in October and December last year.

The South Korea-U.S. working group on North Korean cyber threats was established in August last year.

On Dec. 8, 2022, the South Korean government issued a joint advisory warning of North Korean IT workers and shared information with private companies. It has also been requesting that countries with North Korean IT workers expel them from the countries and cooperating with the international community on the issue.

On Thursday, South Korea's National Intelligence Service, in collaboration with U.S. intelligence agencies including the National Security Agency (NSA), issued a joint cybersecurity advisory on North Korea's ransomware threat.

It is the first time that South Korean and U.S. intelligence agencies have issued a joint security advisory.

The United States' Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigations, the U.S. Department of Health and Human Services and Defense Security Agency also joined in the advisory.

The NSA said in a statement that North Korean cyber actors "have been using cryptocurrency generated through illicit cybercrime activities to procure infrastructure such as IP addresses and domains" and "conceal their affiliation" to "exploit common vulnerabilities" and perform ransomware activities.

BY SARAH KIM [kim.sarah@joongang.co.kr]