Can threats to freeze assets be effective against groups backed by a foreign government?
This week the U.S. Department of the Treasury announced sanctions targeting North Korean state-sponsored hacking groups, including Lazarus, which paralyzed 300,000 computers in 150 countries with the 2017 WannaCry ransomware attack.
Treasury officials said the hackers in Lazarus and two affiliated groups support the North Korean military. “Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs,” said Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence.
Lazarus was “created by the North Korean Government as early as 2007” and its WannaCry attack was “the biggest known ransomware outbreak in history” in part because it closed hospitals in the United Kingdom, Treasury said in filing the sanctions.
Tech news outlet ZDNet called the sanctions “a long time in coming,” citing reports on North Korean hacking from The United Nations and the Department of Homeland Security.
But how effective will they be? Connecting attacks to specific perpetrators can be more difficult than announcing sanctions to loosely identified groups, experts say.
Guilt can be tough to prove
“North Korea is suspected to be behind a number of high profile cyber attacks,” said Avast Security Evangelist Luis Corrons. “Attribution is extremely difficult in cybercrime, and even if you can prove it to a certain point of confidence, false flags” and other deceptive tactics can obfuscate forensics.
The move authorizes the U.S. to freeze assets connected to the hackers, and “may prompt U.S. companies to examine their businesses for any potential ties to the North Korean hackers,” noted PC Mag. “However, all three groups named today use shadowy tactics to stay hidden.”
“Whatever sanctions are imposed, that does not guarantee in any way that these groups will stop their actions,” Avast’s Corrons noted.
Others agree that catching hackers backed by government can be very difficult. “In the two years since WannaCry, the tactics and tools used by elite hacking collectives have advanced considerably, especially when it comes to expanding their use of botnets,” Byron Acohido wrote on the Avast Blog this summer. “Russia, China, North Korea, and Iran continue to proactively support and direct professional hackers engaged in cyber espionage, data theft and network infiltrations.”
2014 Sony attacks
Treasury also noted Lazarus was responsible for 2014 cyberattacks of Sony Pictures because of a film its studios made about a plot to assassinate North Korean leader Kim Jong-un.
The two other hacker groups sanctioned were Bluenoro and Andariel. Bluenoroff was formed by the North Korean government “in response to increased global sanctions,” Treasury wrote, “to generate revenue, in part, for its growing nuclear weapons and ballistic missile programs.”
Treasury said Andariel focuses on conducting malicious cyber operations on foreign businesses, government agencies, financial services infrastructure, private corporations, as well as the defense industry.
What can you do?
Ransomware at a nation-state level may seem overpowering or remote, but there are tools anyone can use to guard against ransomware. You can begin with a basic understanding of ransomware, which is malware that encrypts computer files demanding payment in return for releasing the files. You can also empower yourself with Avast’s free ransomware decryption tools here.
