US National Security Agencies Warn of Increased North Korean Cyber Threat
On April 15, 2020, the US Departments of State, the Treasury, Homeland Security, and the Federal Bureau of Investigation issued a rare joint advisory alert (the Alert) on the cyber threat posed by North Korea, formerly known as the Democratic People's Republic of Korea (DPRK).1 The Alert provides key guidance for financial institutions, a historical target of the DPRK's destructive cyber activities, and other businesses to mitigate cyber risk, respond effectively to illicit cyber intrusions, and assess the effectiveness of their trade sanctions compliance programs. The agencies' release of this Alert during the global COVID-19 pandemic should serve as an important reminder for businesses—especially those increasingly shifting to large-scale remote operations—that the DPRK's malicious cyber activities regularly target the private sector.
According to the Alert, the DPRK has increasingly relied on malicious cyber activities to generate revenue in response to the comprehensive sanctions regimes enacted by the United States and the United Nations. Using a wide range of malicious cyber tools that the US government collectively refers to as "HIDDEN COBRA," the DPRK, as the Alert warns, has robust cyber capabilities to disrupt or destroy US critical infrastructure and to steal from private financial institutions. To help mitigate the DPRK cyber threat, the Alert is intended to serve "as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public." It is divided into four sections, as outlined below.
Common Malicious Cyber Activities Targeting the Financial Sector
The Alert highlights a list of tactics used by the DPRK's cyber actors to target specifically the financial sector.2 According to the Alert, these tactics include but are not limited to:
- Cyber-Enabled Financial Theft and Money Laundering. Citing a UN Panel of Experts midterm report, the Alert states that the DPRK is increasingly using malicious cyber activities to steal from financial institutions through increasingly "sophisticated tools and tactics" and, in some cases, may have also laundered funds through multiple jurisdictions. The midterm report also notes that, as of late 2019, the DPRK is suspected to have attempted to steal as much as $2 billion through cyber-enabled heists.
- Extortion Campaigns. According to the Alert, the DPRK has engaged in various cyber-extortion activities, including compromising national cyber infrastructure by compromising a third-country entity's network and threating to shut it down unless ransom is paid, demanding payment under the guise of long-term paid "consulting" to prevent future intrusions, and hacking websites and extorting funds for third-party clients.
- Cryptojacking. The Alert also highlights the DPRK's longstanding use of "Cryptojacking"—a scheme to infiltrate and compromise a victim's computer assets to mine digital currencies as a funding source for the DPRK.
The Alert underscores the DPRK's use of increasingly sophisticated cyber-tools to generate revenue while sidestepping the impact of US and UN sanctions programs.
Cyber Operations Attributed to the DPRK
The Alert also describes previous cyber operations attributed to the DPRK by the US Government. Amongst the most significant cyber events attributed to any state actor, the Alert notes that the US Government has publicly attributed the following cyber instances to DPRK state-sponsored cyber actors and co-conspirators: (i) the November 2014 hack of Sony Pictures Entertainment in retaliation for the 2014 film "The Interview"; (ii) the February 2016 cyber-enabled heist of the Bangladesh Bank; (iii) the May 2017 global WannaCry 2.0 ransomware; (iv) the ongoing "FASTCash" fraudulent ATM cash withdrawal scheme; and (v) the April 2018 digital currency exchange hack.
Measures to Counter the DPRK Cyber Threat
To mitigate the ongoing DPRK cyber threat, the Alert urges government, industry, civil society, and individuals to undertake the following actions:
- Raise Awareness of the DPRK Cyber Threat. The Alert urges that the mutual sharing of the DPRK cyber threat "will raise general awareness across the public and price sectors" and will "promote adoption and implementation of appropriate preventive and risk mitigation measures."
- Share Technical Information of the DPRK Cyber Threat. Under the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. §§ 1501–1510), non-federal entities may share cyber incidents and defensive measures related to HIDDEN COBRA with federal and non-federal entities.
- Implement and Promote Cybersecurity Best Practices. The Alert suggests the adoption of technical and behavioral cybersecurity practices. These practices include, but are not limited to, sharing threat information through government and/or industry channels, segmenting networks to minimize risks, maintaining regular backup copies of data, undertaking awareness training on common social engineering tactics, implementing policies governing information sharing and network access, and developing cyber incident response plans. The Alert also cites to extensive cybersecurity best practice guidance from the Department of Energy, the National Institute of Standards and Technology (NIST), and the Cybersecurity and Infrastructure Security Agency (CISA).3
- Notify Law Enforcement. The Alert encourages companies to notify quickly law enforcement officials if the company suspects it has been a victim of a cyberattack. For financial crimes in particular, the Alert states that a swift law enforcement notification may increase the likelihood of recovering stolen assets.
- Strengthen Anti-Money Laundering / Countering the Financing of Terrorism / Counter-Proliferation Financing Compliance. The Alert urges countries to implement effectively the Financial Action Task Force (FATF) standards and reminds US financial institutions, including foreign-located digital asset service providers doing business in whole or substantial part in the United States, and other covered businesses to comply with the Bank Secrecy Act (BSA). For financial institutions, these obligations include the maintenance of an effective anti-money laundering (AML) program that is "reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities," in addition to identifying and reporting suspicious activities, including those related to cyber-events, to the US Department of the Treasury's Financial Crimes Enforcement Network (FinCEN).
- Engage in International Cooperation. To mitigate the DPRK's malicious cyber activities, the Alert notes that the United States strongly urges countries to strengthen network defense, end DPRK joint ventures in third countries, and expel foreign-located North Korean information technology (IT) workers in accordance with applicable international law.
It is important to note that these actions, while important, will not in and of themselves suffice to manage a particular entity's overall cyber risk and compliance posture. For example, while raising awareness of the DPRK cyber threat is an important aspect of reducing malicious cyberattacks on a global-scale, developing, exercising, and updating a cyber threat prevention and crisis management plan is critical to mitigating cyber vulnerabilities and cyberattack-related liability. The Alert should serve as an important signal to stakeholders to review and revise cyber security management plans on an ongoing basis, in view of threats including but not limited to those posed by the DPRK. Likewise, in the event that an attack occurs that compromises company-held financial assets, effective processes for detecting the attack, mitigating and remediating it, and notifying appropriate government agencies including law enforcement are essential.
For financial institutions, the Alert should be a reminder to BSA/AML officers to review FinCEN's 2016 Advisory on cyber-enabled crime.4 In that guidance, FinCEN set forth its expectation that if a financial institution knows, suspects, or has reason to suspect that a cyber-event was intended to target funds—even if the event failed and did not actually affect any funds—the event should be reported to FinCEN in a Suspicious Activity Report (SAR). While it may be difficult to determine what constitutes an attempted cyber-event, when in doubt, financial institutions should err on the side of caution and file a SAR; the cost of a government investigation concerning the failure to file is simply too high. Additionally, FinCEN expects cyber-related SARs to have detailed information such as IP addresses with time stamps, virtual-wallet information, and device identifiers, which is information that a BSA/AML officer may not be used to reporting. For all these reasons, it is imperative that the BSA/AML team be involved in a financial institution's cyber-response plan and has an open line of communication with the cyber-response team so that the institution is able to comply with its obligations under the BSA.
Consequences of Engaging in Prohibited or Sanctionable Conduct
The Alert warns that individuals and entities engaged in or supporting DPRK cyber activity, including processing related financial transactions, should be aware of the legal consequences of engaging in prohibited or sanctionable conduct. Specifically, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) maintains wide authority to impose sanctions on any person determined to have engaged in cyber- and trade-related activities with, or on behalf of, the DPRK. Additionally, the Secretary of the Treasury, in consultation with the Secretary of State, may, among other actions, restrict the ability of a foreign financial institution to maintain a correspondent or payable-through account in the United States if the Secretary of the Treasury determines that the foreign financial institution engaged in certain transactions with the DPRK.
Persons who willfully violate sanctions laws may face up to 20 years of imprisonment, fines of up to $1 million or totaling twice the gross gain, whichever is greater, and forfeiture of all funds involved in the applicable transaction. Persons who willfully violate the Bank Secrecy Act, which requires financial institutions to, among other things, maintain effective anti-money laundering programs and file certain reports with FinCEN, may face up to 5 years imprisonment, a fine of up to $250,000, and potential forfeiture of property involved in the violations. The Secretary of the Treasury or the US Attorney General are also authorized to subpoena foreign financial institutions that maintain a correspondent bank account in the US for records, even when such records are stored overseas.
Although not specifically addressed in the Alert, other legal obligations also may be triggered in connection with a cyberattack, including legal requirements set out in federal and state laws related to data breach notification requirements and US sanctions laws. In addition to the criminal penalties described above for willful violations of US sanctions laws, OFAC may impose civil penalties of up to $307,000 per violation on companies under a "strict liability" regime, meaning without a finding that the company acted with negligence or intent when it conducted a transaction in violation of US sanctions laws. OFAC policy significantly favors companies that voluntarily disclose sanctions violations, so the potential relief from civil liability when a sanctions violation has taken place (e.g., a company unintentionally provided funds to North Korea) is another incentive to move quickly in contacting the US government when a DPRK attack has occurred. Companies should carefully coordinate their communications with the US government so as to ensure that they receive credit from OFAC for making a voluntary disclosure. (If, for example, the FBI were to share details of a DPRK transaction with OFAC first, the agency may not give credit to the victim for making a voluntary disclosure regarding the potential sanctions violation.) Finally, a financial institution that has violated the BSA or OFAC regulations—or has facilitated its customer in committing such violations—may face additional civil money penalties and costly remediation imposed by its state and federal regulators. All told, a financial institution may incur penalties in the hundreds of millions of dollars for BSA and OFAC violations, as evidenced by several recent cases.
Extortion payments to cyber attackers also may expose a company to US sanctions violations. In the case of DPRK's cyber actors, the United States has imposed comprehensive sanctions on the DPRK, among other entities known to sponsor cyberattacks. US sanctions laws generally prohibit any transaction with sanctioned parties, even if the payment is being made under duress or by a victim of a cyberattack. While it would be possible to seek permission from OFAC to make a payment under duress to a DPRK cyber actor, there is no guarantee such license request would be granted, as making any ransom payment or any payment to DPRK is in direct contravention of US foreign policy. On the other hand, permission may be granted where countervailing policy concerns, such as an imminent threat to a US citizen's health or safety, may be involved. A threat to a company's financial health or to property is less likely to result in a license, which only underscores that, for most potential victims, rigorous cyber hygiene and cyber defense practices—and a high degree of alertness—are key to avoiding becoming a victim of the DPRK.
The Alert serves as an important reminder that the DPRK remains a significant source of sophisticated cyber threats to the public and private actors. Businesses—particularly those involved in the financial sector—should take care to maintain not only a comprehensive cyber-security and crisis management and response program but also to ensure that they comply with multiple complex regulatory requirements. These issues are of particular importance during the current COVID-19 crisis, which may increase cyber risk due to increased, and often rapid, shifts to virtual operating environments.
Guidance on the North Korean Cyber Threat, DPRK Cyber Threat Advisory, Cybersecurity and Infrastructure Security Agency (Apr. 15, 2020).
The Alert notes that the DPRK’s state-sponsored cyber actors “primarily consist of hackers, cryptologists, and software developers who conduct espionage, cyber-enabled threat targeting financial institutions and digital currency exchanges, and politically-motivated operations against foreign media companies.” Id. at 2.