North Korean hackers stole more virtual currency in 2022 than in any previous year, with estimates ranging from $630 million to over $1 billion — reportedly doubling Pyongyang’s total cybertheft proceeds in 2021.

The US Department of Treasury has imposed sanctions on four entities and one individual involved in illicit revenue generation and malicious online activities to generate revenue for the Democratic People’s Republic of Korea (North Korea).

The entities and individuals sanctioned are the Pyongyang University of Automation, the Technical Reconnaissance Bureau, the 110th Research Center cybersecurity unit, Chinyong Information Technology Cooperation Company, and North Korean national Kim Sang Man, the US Department of State said in a press statement

Sanctioned entities and individual

The Pyongyang University of Automation, Chinyong, Technical Reconnaissance Bureau, and the 110th Research Center are being designated for being agencies, instrumentalities, or controlled entities of the government of North Korea or the Workers’ Party of Korea.

Pyongyang University of Automation is one of North Korea’s premier cybersecurity instruction institutions, which is responsible for training malicious cybersecurity actors, many of whom go on to work in cybersecurity units subordinate to the Reconnaissance General Bureau (RGB).

RGB is North Korea’s primary intelligence bureau and the main entity responsible for the country’s malicious cybersecurity activities. The RGB was designated on January 2, 2015, for being a controlled entity of the government of North Korea, according to a press release by the US Department of Treasury. 

The RGB-controlled Technical Reconnaissance Bureau and its subordinate cybersecurity unit, the 110th Research Center have also been sanctioned. The DPRK-based Technical Reconnaissance Bureau leads the DPRK’s development of offensive cybersecurity tactics and tools and operates several departments, including those affiliated with the Lazarus Group, the Treasury Department said in the release.  

“The Lazarus Group was designated by OFAC on September 13, 2019, as an agency, instrumentality, or controlled entity of the Government of North Korea,” the Department of Treasury said. 

The 110th Research Center has conducted cyberattacks against networks worldwide, including in the US and the Republic of Korea (ROK). In 2013, the 110th Research Center conducted a campaign known as DarkSeoul, which destroyed thousands of financial sector systems and resulted in outages at the top three media companies in the ROK. Additionally, the 110th Research Center has stolen sensitive government information from the ROK related to its military defense and response planning, the Department of Treasury said.

North Korea-based Chinyong Information Technology Cooperation Company (Chinyong), also known as Jinyong IT Cooperation Company, is associated with the UN and US-sanctioned Ministry of Peoples’ Armed Forces. Chinyong, by way of companies under its control and their representatives, employs delegations of DPRK IT workers that operate in Russia and Laos, the Department of Treasury said.

“One such representative of the Chinyong office located in Vladivostok, Russia, DPRK-national Kim Sang Man, is presumed to be involved in the payment of salaries to family members of Chinyong’s overseas DPRK worker delegations,” the Department of Treasury said.

Kim is said to have been involved in the sale and transfer of IT equipment for the DPRK and, as recently as 2021, received cryptocurrency funds transfers from IT teams located in China and Russia that were valued at more than $2 million. 

Kim has been affiliated with the US-designated Korea Computer Center and worked as an IT developer in the DPRK prior to being selected as an agent of the UN and US-designated RGB, in order to earn foreign currency.

“Kim is being designated pursuant to E.O. 13810 for being a North Korean person, including a North Korean person that has engaged in commercial activity that generates revenue for the Government of North Korea or the Workers’ Party of Korea,” the Department of Treasury said.

North Korea’s malicious activities

Sanctions have been made against the entities’ illicit activities to fund the North Korean government. 

“The DPRK conducts malicious cyber activities and deploys information technology (IT) workers abroad who fraudulently obtain employment to generate revenue that supports the Kim regime,” the Department of Treasury said.

The DPRK’s extensive illicit cybersecurity and IT worker operations threaten international security by financing the DPRK regime and its dangerous activities, including its unlawful weapons of mass destruction (WMD) and missile programs, the Department of Treasury said.

The action has been taken in coordination with the ROK, which is concurrently imposing sanctions against one entity and one individual associated with overseas DPRK IT workers. The other three entities were previously sanctioned by the ROK on February 10, for engaging in cyberattack operations and illicit revenue generation that support the DPRK’s WMD programs.

“Today’s Treasury action includes three targets that the ROK recently designated for engaging in cyber operations and illicit revenue generation that support the DPRK’s WMD programs. We will not hesitate to continue holding the DPRK regime responsible for its actions,” the Department of Treasury said.

DPRK cyberattack actors stole more virtual currency in 2022 than in any previous year, with estimates ranging from $630 million to over $1 billion — reportedly doubling Pyongyang’s total cybertheft proceeds in 2021, according to a March 2023 UN Panel of Experts report. 

The DPRK also maintains a workforce of thousands of highly skilled IT workers around the world, primarily located in the People’s Republic of China and Russia, to generate revenue that contributes to its unlawful WMD and ballistic missile programs. In some cases, DPRK IT workers can earn more than $300,000 per year. 

“The United States is steadfast in our commitment to combat the Democratic People’s Republic of Korea’s (DPRK) illicit activities to generate revenue by stealing funds from global financial institutions and other entities,” the Department of Treasury said.

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld.

Copyright © 2023 IDG Communications, Inc.