U.S. Treasury Sanctions North Korean Kimsuky Hackers and 8 Foreign-Based Agents
The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Thursday sanctioned the North Korea-linked adversarial collective known as Kimsuky as well as eight foreign-based agents who are alleged to have facilitated sanctions evasion.
The agents, the Treasury said, helped in “revenue generation and missile-related technology procurement that support the DPRK’s weapons of mass destruction (WMD) programs.”
The sanctions against Kimsuky, which have been levied for gathering intelligence to support the regime’s strategic objectives, come more than four years after the OFAC imposed similar measures against the Lazarus Group and its offshoots Andariel and BlueNoroff in September 2019.
The actions are in response to North Korea’s launch of a military reconnaissance satellite late last month, the Treasury added. They also arrive a day after a virtual currency mixer service called Sinbad was sanctioned for processing stolen assets linked to hacks perpetrated by the Lazarus Group.
Kimsuky – also called APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima – is a prolific cyber espionage crew that primarily targets governments, nuclear organizations, and foreign relations entities to collect intelligence that help further North Korea’s interests.
“The group combines moderately sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues,” Google-owned Mandiant noted in October 2023.
Like the Lazarus Group, it’s also an element within the Reconnaissance General Bureau (RGB), which is North Korea’s primary foreign intelligence service that’s responsible for intelligence collection operations. It’s known to be active since at least 2012.
“Kimsuky employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets,” the Treasury said.
The agency also identified Kang Kyong Il, Ri Sung Il, and Kang Phyong Guk for acting as weapons sales representatives; So Myong, Choe Un Hyok, and Jang Myong Chol for engaging in illicit financial transfers to procure material for North Korea’s missile programs; and Choe Song Chol and Im Song Sun for running front companies involved in generating revenue by exporting skilled workers.
“The geographic breakdown of North Korean threat groups’ targeting in the cryptocurrency industry [follows a multi-pronged approach], where Kimsuky has been seen targeting the cryptocurrency industry in South Korea, and Lazarus Group has a more global presence in their cryptocurrency targeting operations,” Recorded Future said in a new report published this week.