The U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation are issuing this advisory as a comprehensive resource on the North Korean cyber threat for the international community, network defenders, and the public. The advisory highlights the cyber threat posed by North Korea – formally known as the Democratic People’s Republic of Korea (DPRK) – and provides recommended steps to mitigate the threat. In particular, Annex 1 lists U.S. government resources related to DPRK cyber threats and Annex 2 includes a link to the UN 1718 Sanctions Committee (DPRK) Panel of Experts reports.
The DPRK’s malicious cyber activities threaten the United States and the broader international community and, in particular, pose a significant threat to the integrity and stability of the international financial system. Under the pressure of robust U.S. and UN sanctions, the DPRK has increasingly relied on illicit activities – including cybercrime – to generate revenue for its weapons of mass destruction and ballistic missile programs. In particular, the United States is deeply concerned about North Korea’s malicious cyber activities, which the U.S. government refers to as HIDDEN COBRA. The DPRK has the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure. The DPRK also uses cyber capabilities to steal from financial institutions, and has demonstrated a pattern of disruptive and harmful cyber activity that is wholly inconsistent with the growing international consensus on what constitutes responsible State behavior in cyberspace.
The United States works closely with like-minded countries to focus attention on and condemn the DPRK’s disruptive, destructive, or otherwise destabilizing behavior in cyberspace. For example, in December 2017, Australia, Canada, New Zealand, the United States, and the United Kingdom publicly attributed the WannaCry 2.0 ransomware attack to the DPRK and denounced the DPRK’s harmful and irresponsible cyber activity. Denmark and Japan issued supporting statements for the joint denunciation of the destructive WannaCry 2.0 ransomware attack, which affected hundreds of thousands of computers around the world in May 2017.
It is vital for the international community, network defenders, and the public to stay vigilant and to work together to mitigate the cyber threat posed by North Korea.
Click here for an English PDF version of this report.
Click the following links for PDF versions of this report in Arabic, French, Japanese, Korean, Portuguese, Spanish, and [traditional Chinese](<https://www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_TRAD CHN_S508C.pdf>), and Vietnamese.
Many DPRK cyber actors are subordinate to UN- and U.S.-designated entities, such as the Reconnaissance General Bureau. DPRK state-sponsored cyber actors primarily consist of hackers, cryptologists, and software developers who conduct espionage, cyber-enabled theft targeting financial institutions and digital currency exchanges, and politically-motivated operations against foreign media companies. They develop and deploy a wide range of malware tools around the world to enable these activities and have grown increasingly sophisticated. Common tactics to raise revenue illicitly by DPRK state-sponsored cyber actors include, but are not limited to:
_Cyber-Enabled Financial Theft and Money Laundering. _The UN Security Council 1718 Committee Panel of Experts’ 2019 mid-term report (2019 POE mid-term report) states that the DPRK is increasingly able to generate revenue notwithstanding UN Security Council sanctions by using malicious cyber activities to steal from financial institutions through increasingly sophisticated tools and tactics. The 2019 POE mid-term report notes that, in some cases, these malicious cyber activities have also extended to laundering funds through multiple jurisdictions. The 2019 POE mid-term report mentions that it was investigating dozens of suspected DPRK cyber-enabled heists and that, as of late 2019, the DPRK has attempted to steal as much as $2 billion through these illicit cyber activities. Allegations in a March 2020 Department of Justice forfeiture complaint are consistent with portions of the POE’s findings. Specifically, the forfeiture complaint alleged how North Korean cyber actors used North Korean infrastructure in furtherance of their conspiracy to hack digital currency exchanges, steal hundreds of millions of dollars in digital currency, and launder the funds.
**Extortion Campaigns.**DPRK cyber actors have also conducted extortion campaigns against third-country entities by compromising an entity’s network and threatening to shut it down unless the entity pays a ransom. In some instances, DPRK cyber actors have demanded payment from victims under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place. DPRK cyber actors have also been paid to hack websites and extort targets for third-party clients.
_Cryptojacking._The 2019 POE mid-term report states that the POE is also investigating the DPRK’s use of “cryptojacking,” a scheme to compromise a victim machine and steal its computing resources to mine digital currency. The POE has identified several incidents in which computers infected with cryptojacking malware sent the mined assets – much of it anonymity-enhanced digital currency (sometimes also referred to as “privacy coins”) – to servers located in the DPRK, including at Kim Il Sung University in Pyongyang.
These activities highlight the DPRK’s use of cyber-enabled means to generate revenue while mitigating the impact of sanctions and show that any country can be exposed to and exploited by the DPRK. According to the 2019 POE mid-term report, the POE is also investigating such activities as attempted violations of UN Security Council sanctions on the DPRK.
The DPRK has repeatedly targeted U.S. and other government and military networks, as well as networks related to private entities and critical infrastructure, to steal data and conduct disruptive and destructive cyber activities. To date, the U.S. government has publicly attributed the following cyber incidents to DPRK state-sponsored cyber actors and co-conspirators:
North Korea targets cyber-enabled infrastructure globally to generate revenue for its regime priorities, including its weapons of mass destruction programs. We strongly urge governments, industry, civil society, and individuals to take all relevant actions below to protect themselves from and counter the DPRK cyber threat:
U.S. law enforcement has seized millions of dollars’ worth of digital currency stolen by North Korean cyber actors. All types of financial institutions, including money services businesses, are encouraged to cooperate on the front end by complying with U.S. law enforcement requests for information regarding these cyber threats, and on the back end by identifying forfeitable assets upon receipt of a request from U.S. law enforcement or U.S. court orders, and by cooperating with U.S. law enforcement to support the seizure of such assets.
Further, in June 2019, FATF amended its standards to require all countries regulate and supervise digital asset service providers, including digital currency exchanges, and mitigate against risks when engaging in digital currency transactions. Digital asset service providers should remain alert to changes in customers’ activities, as their business may be used to facilitate money laundering, terrorist financing, and proliferation financing. The United States is particularly concerned about platforms that provide anonymous payment and account service functionality without transaction monitoring, suspicious activity reporting, and customer due diligence, among other obligations.
U.S. financial institutions, including foreign-located digital asset service providers doing business in whole or substantial part in the United States, and other covered businesses and persons should ensure that they comply with their regulatory obligations under the Bank Secrecy Act (as implemented through the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) regulations in 31 CFR Chapter X). For financial institutions, these obligations include developing and maintaining effective anti-money laundering programs that are reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities, as well as identifying and reporting suspicious transactions, including those conducted, affected, or facilitated by cyber events or illicit finance involving digital assets, in suspicious activity reporting to FinCEN.
To counter the DPRK’s malicious cyber activities, the United States regularly engages with countries around the world to raise awareness of the DPRK cyber threat by sharing information and evidence via diplomatic, military, law enforcement and judicial, network defense, and other channels. To hamper the DPRK’s efforts to steal funds through cyber means and to defend against the DPRK’s malicious cyber activities, the United States strongly urges countries to strengthen network defense, shutter DPRK joint ventures in third countries, and expel foreign-located North Korean information technology (IT) workers in a manner consistent with applicable international law. A 2017 UN Security Council resolution required all Member States to repatriate DPRK nationals earning income abroad, including IT workers, by December 22, 2019. The United States also seeks to enhance the capacity of foreign governments and the private sector to understand, identify, defend against, investigate, prosecute, and respond to DPRK cyber threats and participate in international efforts to help ensure the stability of cyberspace.
Individuals and entities engaged in or supporting DPRK cyber-related activity, including processing related financial transactions, should be aware of the potential consequences of engaging in prohibited or sanctionable conduct.
The Department of the Treasury’s Office of Foreign Assets Control (OFAC) has the authority to impose sanctions on any person determined to have, among other things:
Additionally, if the Secretary of the Treasury, in consultation with the Secretary of State, determines that a foreign financial institution has knowingly conducted or facilitated significant trade with North Korea, or knowingly conducted or facilitated a significant transaction on behalf of a person designated under a North Korea-related Executive Order, or under Executive Order 13382 (Weapons of Mass Destruction Proliferators and Their Supporters) for North Korea-related activity, that institution may, among other potential restrictions, lose the ability to maintain a correspondent or payable-through account in the United States.
OFAC investigates apparent violations of its sanctions regulations and exercises enforcement authority, as outlined in the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, appendix A. Persons who violate the North Korea Sanctions Regulations, 31 C.F.R. part 510, may face civil monetary penalties of up to the greater of the applicable statutory maximum penalty or twice the value of the underlying transaction.
The 2019 POE mid-term report notes the DPRK’s use, and attempted use, of cyber-enabled means to steal funds from banks and digital currency exchanges could violate multiple UN Security Council resolutions (UNSCRs) (i.e., UNSCR 1718 operative paragraph (OP) 8(d); UNSCR 2094, OPs 8 and 11; and UNSCR 2270, OP 32). The DPRK-related UNSCRs also provide various mechanisms for encouraging compliance with DPRK-related sanctions imposed by the UN. For example, the UN Security Council 1718 Committee may impose targeted sanctions (i.e., an asset freeze and, for individuals, a travel ban) on any individual or entity who engages in a business transaction with UN-designated entities or sanctions evasion.
The Department of Justice criminally prosecutes willful violations of applicable sanctions laws, such as the International Emergency Economic Powers Act, 50 U.S.C. §§ 1701 et seq. Persons who willfully violate such laws may face up to 20 years of imprisonment, fines of up to $1 million or totaling twice the gross gain, whichever is greater, and forfeiture of all funds involved in such transactions. The Department of Justice also criminally prosecutes willful violations of the Bank Secrecy Act (BSA), 31 U.S.C. §§ 5318 and 5322, which requires financial institutions to, among other things, maintain effective anti-money laundering programs and file certain reports with FinCEN. Persons violating the BSA may face up to 5 years imprisonment, a fine of up to $250,000, and potential forfeiture of property involved in the violations. Where appropriate, the Department of Justice will also criminally prosecute corporations and other entities that violate these statutes. The Department of Justice also works with foreign partners to share evidence in support of each other’s criminal investigations and prosecutions.
Pursuant to 31 U.S. Code § 5318(k), the Secretary of the Treasury or the Attorney General may subpoena a foreign financial institution that maintains a correspondent bank account in the United States for records stored overseas. Where the Secretary of the Treasury or Attorney General provides written notice to a U.S. financial institution that a foreign financial institutions has failed to comply with such a subpoena, the U.S. financial institution must terminate the correspondent banking relationship within ten business days. Failure to do so may subject the U.S. financial institutions to daily civil penalties.
If you have information about illicit DPRK activities in cyberspace, including past or ongoing operations, providing such information through the Department of State’s Rewards for Justice program could make you eligible to receive an award of up to $5 million. For further details, please visit www.rewardsforjustice.net.
Office of the Director of National Intelligence Annual Worldwide Threat Assessments of the U.S. Intelligence Community. In 2019, the U.S. Intelligence Community assessed that the DPRK poses a significant cyber threat to financial institutions, remains a cyber espionage threat, and retains the ability to conduct disruptive cyber attacks. The DPRK continues to use cyber capabilities to steal from financial institutions to generate revenue. Pyongyang’s cybercrime operations include attempts to steal more than $1.1 billion from financial institutions across the world – including a successful cyber heist of an estimated $81 million from Bangladesh Bank. The report can be found at <https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf>.
Cybersecurity and Infrastructure Security Agency (CISA) Technical Reports. The U.S. government refers to the malicious cyber activities by the DPRK as HIDDEN COBRA. HIDDEN COBRA reports provide technical details on the tools and infrastructure used by DPRK cyber actors. These reports enable network defenders to identify and reduce exposure to the DPRK’s malicious cyber activities. CISA’s website contains the latest updates on these persistent threats: <https://www.us-cert.gov/northkorea>.
Additionally, CISA provides extensive cybersecurity and infrastructure security knowledge and practices to its stakeholders, shares that knowledge to enable better risk management, and puts it into practice to protect the nation’s critical functions. Below are the links to CISA’s resources:
FBI PIN and FLASH Reports. FBI Private Industry Notifications (PIN) provide current information that will enhance the private sector’s awareness of a potential cyber threat. FBI Liaison Alert System (FLASH) reports contain critical information collected by the FBI for use by specific private sector partners. They are intended to provide recipients with actionable intelligence that help cybersecurity professionals and system administrators to guard against the persistent malicious actions of cyber criminals. If you identify any suspicious activity within your enterprise or have related information, please contact FBI CYWATCH immediately. For DPRK-related cyber threat PIN or FLASH reports, contact [email protected].
FBI Legal Attaché Program: The FBI Legal Attaché’s core mission is to establish and maintain liaison with principal law enforcement and security services in designated foreign countries.
**U.S. Cyber Command Malware Information Release.**The Department of Defense’s cyber forces actively seek out DPRK malicious cyber activities, including DPRK malware that exploits financial institutions, conducts espionage, and enables malicious cyber activities against the U.S. and its partners. U.S. Cyber Command periodically releases malware information, identifying vulnerabilities for industry and government to defend their infrastructure and networks against DPRK illicit activities. Malware information to bolster cybersecurity can be found at the following Twitter accounts: @US_CYBERCOM and @CNMF_VirusAlert.
U.S. Department of the Treasury Sanctions Information and Illicit Finance Advisories. The Office of Foreign Assets Control’s (OFAC’s) online Resource Center provides a wealth of information regarding DPRK sanctions and sanctions with respect to malicious cyber-enabled activities, including sanctions advisories, relevant statutes, Executive Orders, rules, and regulations relating to DPRK and cyber-related sanctions. OFAC has also published several frequently asked questions (FAQs) relating to DPRK sanctions, cyber-related sanctions, and digital currency. For questions or concerns related to OFAC sanctions regulations and requirements, please contact OFAC’s Compliance Hotline at 1-800-540-6322 or [email protected].
Financial Crimes Enforcement Network (FinCEN) has issued an advisory on North Korea’s use of the international financial system (<https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2017-a008>). FinCEN also issued specific advisories to financial institutions with suspicious activity reporting obligations that provide guidance on when and how to report cybercrime and/or digital currency-related criminal activity:
Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help financial institutions identify their risks and determine their cybersecurity preparedness. The assessment tool can be found at <https://www.ffiec.gov/cyberassessmenttool.htm>.
UN 1718 Sanctions Committee (DPRK) Panel of Experts Reports. The UN Security Council 1718 Sanctions Committee on the DPRK is supported by a Panel of Experts, who “gather, examine, and analyze information” from UN Member States, relevant UN bodies, and other parties on the implementation of the measures outlined in the UN Security Council Resolutions against North Korea. The Panel also makes recommendations on how to improve sanctions implementation by providing both a Midterm and a Final Report to the 1718 Committee. These reports can be found at <https://www.un.org/securitycouncil/sanctions/1718/panel_experts/reports>.
[1] FATF Call to Action on North Korea
April 15, 2020: Initial Version|April 30, 2020: Added PDF versions of this report in Arabic, French, Japanese, Korean, Portuguese, Spanish, and traditional Chinese.|June 16, 2020: Added PDF version of this report in Vietnamese.
www.rewardsforjustice.net
home.treasury.gov/news/press-releases/sm473
home.treasury.gov/news/press-releases/sm924
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Guidance%20on%20the%20North%20Korean%20Cyber%20Threat+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-106a
www.cisa.gov/combating-cyber-crime
www.cisa.gov/cyber-essentials
www.cisa.gov/cyber-safety
www.cisa.gov/detection-and-prevention
www.cisa.gov/information-sharing-and-awareness
www.cisa.gov/insights
www.cisa.gov/protecting-critical-infrastructure
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-106a&title=Guidance%20on%20the%20North%20Korean%20Cyber%20Threat
www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/call-for-action-february-2020.html
www.fatf-gafi.org/publications/high-risk-and-other-monitored-jurisdictions/documents/call-for-action-february-2020.html
www.fbi.gov/contact-us/legal-attache-offices
www.fbi.gov/investigate/cyber
www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation
www.ffiec.gov/cyberassessmenttool.htm
www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a003
www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a005
www.fincen.gov/resources/advisories/fincen-advisory-fin-2017-a008
www.fincen.gov/resources/advisories/fincen-advisory-fin-2019-a003
www.fincen.gov/resources/advisories/fincen-advisory-fin-2019-a005
www.instagram.com/cisagov
www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and
www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-106a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-106a
www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_compliance.aspx#vc_faqs
www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#cyber
www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#nk
www.treasury.gov/resource-center/sanctions/Programs/pages/cyber.aspx
www.treasury.gov/resource-center/sanctions/Programs/pages/nkorea.aspx
www.un.org/securitycouncil/sanctions/1718/panel_experts/reports
www.us-cert.gov/ics
www.us-cert.gov/ncas
www.us-cert.gov/ncas/alerts/TA17-132A
www.us-cert.gov/ncas/alerts/TA18-275A
www.us-cert.gov/ncas/analysis-reports/AR18-275A
www.us-cert.gov/ncas/tips
www.us-cert.gov/northkorea
www.us-cert.gov/report
www.us-cert.gov/sites/default/files/2020-04/DPRK_Cyber_Threat_Advisory_04152020_S508C.pdf
www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_ARA_S508C.pdf
www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_FRE_S508C.pdf
www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_KOR_S508C.pdf
www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_POR_S508C.pdf
www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_SPA_S508C.pdf
www.us-cert.gov/sites/default/files/publications/DPRK_Cyber_Advisory_TRAD CHN_S508C.pdf
www.usa.gov/
www.whitehouse.gov/
www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/
www.youtube.com/@cisagov
mailto:?subject=Guidance%20on%20the%20North%20Korean%20Cyber%20Threat&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-106a