U.S. Sanctions North Korean Cyberespionage Group Kimsuky

The United States Treasury Department's Office of Foreign Assets Control (OFAC) has imposed new sanctions upon Kimsuky, the North Korean cyber espionage agency. In a direct response to the alleged launch of a military reconnaissance satellite by the North Korean government on November 21, these sanctions aim to disrupt the Democratic People's Republic of Korea's (DPRK) capacity to gain revenue, gather intelligence, and gather resources, all of which reportedly aid the progression of the country's weapons of mass destruction (WMD) program.

The U.S. has linked Kimsuky to cyber activity related to the advanced persistent threat (APT) APT43, referred to in the cybersecurity sector as Emerald Sleet, Velvet Chollima, TA406, and Black Banshee. According to the Treasury Department, "Kimsuky, active since 2012, is subordinate to the U.N.- and U.S. designated Reconnaissance General Bureau (RGB), the DPRK's primary foreign intelligence service."

OFAC Announces Sanctions Against Kimsuky

In addition to sanctioning the hacking group, OFAC has also announced sanctions upon eight North Korean foreign agents tasked with facilitating the evasion of international sanctions and supporting the nation's weapons programs. This move is seen as a direct response to the actions of the DPRK and an attempt to curtail its ability to carry out strategic operations that contribute to its WMD program.

This is not the first time the U.S. has moved against Kimsuky. In fact, OFAC tied the group to North Korea's central intelligence agency, the Reconnaissance General Bureau, back in August 2010.

Sanctions Also Imposed on Eight Foreign North Korean Agents Linked to Sanction Evasion and Weapons Programs

Once predominantly focusing on South Korean government entities, individuals, and think tanks, the agency has since broadened its operations to include targets associated with the United States, the United Nations, Russia, and Europe. Its primary objective is thought to be the collection of foreign intelligence on topics such as the Korean peninsula, nuclear policy, and other national security matters.

The current round of sanctions should provide additional control over the DPRK's unlawful activities by undermining its ability to collect intelligence and harness resources to support its WMD ambitions.

About Kimsuky

Originating in 2012, Kimsuky is a clandestine group linked to the Reconnaissance General Bureau (RGB), the primary foreign intelligence agency for the Democratic People's Republic of Korea (DPRK). RGB has been designated by the United Nations and the United States as a key player in the DPRK's international activities.

In recognition of RGB's illicit activities and its status as a controlled entity of the North Korean government, the Office of Foreign Assets Control (OFAC) officially identified the bureau on August 30, 2010, and later re-designated it on January 2, 2015. Kimsuky's connection with malicious cyber activity has been documented in the cybersecurity sector with various monikers such as APT43, Emerald Sleet, Velvet Chollima, TA406, and Black Banshee.

Controlled by North Korea's Main Foreign Intelligence Service, the Reconnaissance General Bureau

Despite being primarily an information collection entity, Kimsuky is known to conduct cyber espionage campaigns, which directly bolster the DPRK's ambitious nuclear and strategic programs. In addition to being subordinate to the Reconnaissance General Bureau, Kimsuky falls under the purview of the North Korean government. As such, Kimsuky has been officially designated under the purview of E.O. 13687 for being an agency under the influence of North Korea.

Known for Intelligence Gathering for Pyongyang's Nuclear and Strategic Efforts

The group is recognized for its intelligence gathering that supports Pyongyang's nuclear and global strategy aspirations. Using spear-phishing tactics, Kimsuky targets individuals affiliated with governments, research centers, think tanks, academic institutions, and news media organizations. This diversely ranged target list includes entities in Europe, Japan, Russia, South Korea, and the United States.

Targeting Governments, Think Tanks, Research Centers, Universities, and News Organizations in the Global Scene

Kimsuky employs social engineering tactics to collect intelligence on diplomatic efforts, geopolitical events, and foreign policy strategies, which impact its interests. To obtain such information, the group gains illegal access to the targeted entities' private documents, research, and communications. As a result of its escalating cyber aggression and its ties to the North Korean government, Kimsuky faces sanctions under E.O. 13687.

Demonstrated Resilience despite Exposure, Employing Sophisticated Social Engineering Tactics

Despite facing exposure and scrutiny in the global cybersecurity landscape, Kimsuky has exhibited remarkable resilience and adaptability. The group consistently employs sophisticated social engineering tactics and digital stratagems to carry out its intelligence missions. It frequently targets entities, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigations (FBI), and CNMF. Therefore, it is recommended that organizations fitting Kimsuky's target profile adopt a heightened state of security awareness and adequately safeguard their cyber infrastructure against potential attacks. Key mitigation strategies include fortifying defenses against spear-phishing, employing multi-factor authentication, and conducting user awareness training.

Previous Sanctions against North Korean Cyber Activities

The United States has a history of imposing sanctions on North Korean cyber activities to tackle the country's strategic and malicious digital operations. Kimsuky is the latest target of these sanctions, which are targeted towards its cyberespionage activities and for facilitating sanctions evasion related to missile technology procurement. This is viewed as a direct response to North Korea's recent reconnaissance satellite launch and the country's continued employment of illicit cyber operations as a means of generating revenue and conducting intelligence.

Sanctions against Cryptocurrency Mixer Sinbad for Assisting North Korean Hacking Group Lazarus in Laundering Stolen Cryptocurrency

Before the recent sanctions on Kimsuky, the U.S. government had also sanctioned and seized assets of the cryptocurrency mixer Sinbad.io. Sinbad was identified as the "preferred mixing service" for North Korean state hackers, known as Lazarus Group. It was accused of laundering stolen cryptocurrency, which made it a prime target for sanctions.

Lazarus Group, like Kimsuky, has been the focus of U.S. sanctions due to the reputable threat it poses to global cybersecurity. The group was officially sanctioned in September 2019, showcasing the ongoing U.S. commitment to curbing North Korean cyber operations. The implications and consequences of these sanctions serve as stark warnings to other potential threat actors engaging in similar activities in aid of the North Korean regime.

Similarly to Kimsuky, Lazarus Group has been associated with various ill-intended cyber operations, from intelligence theft to ransomware attacks. The seizure and sanctions of Sinbad demonstrate the determination of the U.S. government to combat North Korean illicit activities in the digital space, including using cryptocurrency to fund these activities.