US sanctions North Korean ‘Kimsuky’ hackers after surveillance satellite launch

The U.S. partnered with several nations in the Pacific to hand down sanctions on North Korea — particularly the country’s Kimsuky cyber espionage group — after the country launched a surveillance satellite last week.

On Thursday evening, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for allegedly facilitating sanctions evasions and generating revenue for the country’s missile procurement efforts. The U.S. also sanctioned Kimsuky as well for “gathering intelligence to support the DPRK’s strategic objectives.”

“Today’s actions by the United States, Australia, Japan, and the Republic of Korea reflect our collective commitment to contesting Pyongyang’s illicit and destabilizing activities,” said Treasury’s Under Secretary for Terrorism and Financial Intelligence Brian Nelson.

“The DPRK’s use of overseas laborers, money launderers, cyber espionage, and illicit funding continue to threaten international security and our allies in the region. We will remain focused on targeting these key nodes in the DPRK’s illicit revenue generation and weapons proliferation.”

According to U.S. officials, Kimsuky has operated since 2012 within North Korea’s Reconnaissance General Bureau (RGB) — the country’s primary foreign intelligence service.

RGB itself was sanctioned in 2010 and the U.S. noted that Kimsuky has been identified by several cybersecurity researchers as APT43, Emerald Sleet, Velvet Chollima, TA406, and Black Banshee.

The group uses spear-phishing attacks to target people within governments, research centers, think tanks, academic institutions and news media organizations across the world — particularly in Europe, Japan, Russia, South Korea and the U.S., they said.

“Kimsuky employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets,” they said.

In June, intelligence agencies from the U.S. and South Korea issued a warning describing the spying methods of Kimsuky, warning that the group uses impersonation tactics, masquerading as reliable sources to gain the trust of their targets and gather intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts of the nations that “threaten the regime.”

An October 2020 alert on the group from the United States Cybersecurity and Infrastructure Agency (CISA) described Kimsuky as “likely tasked by the North Korean regime with a global intelligence gathering mission.” In some cases, hackers posed as South Korean reporters to gain access to targets.

The group has been implicated in several campaigns in recent years targeting news outlets, regional experts in Asia and academics.

South Korean officials said in 2021 that hackers from the group breached the internal network of the South Korean Atomic Energy Research Institute (KAERI), the government organization that conducts research on nuclear power and nuclear fuel technology.

Michael Barnhart, who leads the North Korea threat hunting team at Mandiant, told Recorded Future News that North Korea has a longstanding history of employing cyber espionage tactics to gather intelligence, disrupt critical infrastructure, and advance its geopolitical objectives.

These covert operations, often attributed to groups like APT43 or Kimsuky, have been largely shrouded in secrecy, allowing the regime to maintain a low profile and downplay the severity of its cyber capabilities, he explained.

“However, recent actions, including the OFAC sanctions of today and increased global awareness of these cyber threats, are forcing North Korea to adapt its strategies. While these measures have undoubtedly disrupted the regime's cyber activities, it is crucial to recognize that North Korea remains a formidable threat,” he said. Mandiant is

“APT43, in particular, serves as a prime example of North Korea's persistent cyber threat. As an intelligence gathering apparatus for the RGB, APT43 operates with the full backing of the North Korean regime, tasked with gathering sensitive information on a wide range of topics, including nuclear technology, sanctions evasion, and unification efforts.”

The group has been able to continue employing sophisticated social engineering tactics to target unsuspecting individuals and organizations.

In April 2022, the U.S. State Department offered a reward of up to $5 million for information about actors connected to North Korean digital operations that help keep the regime afloat and fund its weapons programs.