North Korea flags
Image: Flickr / (Stephan) & The Record

US sanctions North Korean entities involved in cyberattacks and IT worker fraud

The U.S. Treasury Department on Tuesday announced new sanctions on four entities that employ thousands of North Korean IT workers who help illicitly finance the regime's missile and weapons of mass destruction programs.

North Korea maintains legions of “highly skilled” IT workers around the globe, primarily in China and Russia, who “generate revenue that contributes to its unlawful WMD and ballistic missile programs,” according to the department.

While these people usually engage in IT work separate from malicious cyber activity, the agency said it has witnessed instances where they have provided support to that online effort through “privileged access to virtual currency firms.”

These individuals, who can earn up to $300,000 annually, “deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation” to apply for jobs, Treasury said.

They then target “employers located in wealthier countries, utilizing a variety of mainstream and industry-specific freelance contracting, payment, and social media and networking platforms.”

Three groups included in the latest round of penalties had been previously sanctioned by South Korea for conducting digital operations and other illicit activity. The South Korean and U.S. governments also issued alerts in 2022 about North Korean IT workers.

One of the groups — the Pyongyang University of Automation — is “one of the DPRK’s premier cyber instruction institutions,” Treasury said. The university is responsible for “training malicious cyber actors, many of whom go on to work in cyber units subordinate to the Reconnaissance General Bureau (RGB) — the DPRK’s primary intelligence bureau and main entity responsible for the country’s malicious cyber activities”.

Another sanctioned group — the Technical Reconnaissance Bureau — leads the country’s offensive cyber operations and manages departments connected to the Lazarus Group, one of the world’s most notorious digital criminal organizations.

“Today’s action continues to highlight the DPRK’s extensive illicit cyber and IT worker operations, which finance the regime’s unlawful weapons of mass destruction and ballistic missile programs,” Brian Nelson, undersecretary of the Treasury for terrorism and financial intelligence, said in a statement.

In addition, the country’s Chinyong Information Technology Cooperation Company and an individual named Kim Sang Man were sanctioned jointly by the U.S. and South Korea for funneling IT earnings into the regime’s weapons programs.

“We will not hesitate to continue holding the DPRK regime responsible for its actions,” Secretary of State Antony Blinken said in a statement.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Martin Matishak

Martin Matishak

is the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more than five years at Politico, where he covered digital and national security developments across Capitol Hill, the Pentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group and Inside Washington Publishers.