{ "id": "590c1899-36d9-46ab-a27e-8c79ababeb87", "created_at": "2026-04-06T00:17:05.556209Z", "updated_at": "2026-04-10T03:38:20.546071Z", "deleted_at": null, "sha1_hash": "1f797c4832edd2005abaa9076ccc40d3f16bccde", "title": "Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42534, "plain_text": "Treasury Sanctions North Korean State-Sponsored Malicious\r\nCyber Groups\r\nPublished: 2026-02-13 · Archived: 2026-04-05 23:36:44 UTC\r\nWASHINGTON – Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)\r\nannounced sanctions targeting three North Korean state-sponsored malicious cyber groups responsible for North\r\nKorea’s malicious cyber activity on critical infrastructure.  Today’s actions identify North Korean hacking groups\r\ncommonly known within the global cyber security private industry as “Lazarus Group,” “Bluenoroff,” and\r\n“Andariel” as agencies, instrumentalities, or controlled entities of the Government of North Korea pursuant to\r\nExecutive Order (E.O.) 13722, based on their relationship to the Reconnaissance General Bureau (RGB).  Lazarus\r\nGroup, Bluenoroff, and Andariel are controlled by the U.S.- and United Nations (UN)-designated RGB, which is\r\nNorth Korea’s primary intelligence bureau.\r\n“Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to\r\nsupport illicit weapon and missile programs,” said Sigal Mandelker, Treasury Under Secretary for Terrorism and\r\nFinancial Intelligence.  “We will continue to enforce existing U.S. and UN sanctions against North Korea and\r\nwork with the international community to improve cybersecurity of financial networks.”\r\nMalicious Cyber Activity by Lazarus Group, Bluenoroff, and Andariel\r\nLazarus Group targets institutions such as government, military, financial, manufacturing, publishing, media,\r\nentertainment, and international shipping companies, as well as critical infrastructure, using tactics such as cyber\r\nespionage, data theft, monetary heists, and destructive malware operations.  Created by the North Korean\r\nGovernment as early as 2007, this malicious cyber group is subordinate to the 110th Research Center, 3rd Bureau\r\nof the RGB.  The 3rd Bureau is also known as the 3rd Technical Surveillance Bureau and is responsible for North\r\nKorea’s cyber operations.  In addition to the RGB’s role as the main entity responsible for North Korea’s\r\nmalicious cyber activities, the RGB is also the principal North Korean intelligence agency and is involved in the\r\ntrade of North Korean arms.  The RGB was designated by OFAC on January 2, 2015 pursuant to E.O. 13687 for\r\nbeing a controlled entity of the Government of North Korea.  The RGB was also listed in the annex to E.O. 13551\r\non August 30, 2010.  The UN also designated the RGB on March 2, 2016.\r\nLazarus Group was involved in the destructive WannaCry 2.0 ransomware attack which the United States,\r\nAustralia, Canada, New Zealand and the United Kingdom publicly attributed to North Korea in December 2017. \r\nDenmark and Japan issued supporting statements and several U.S. companies took independent actions to disrupt\r\nthe North Korean cyber activity.  WannaCry affected at least 150 countries around the world and shut down\r\napproximately three hundred thousand computers.  Among the publicly identified victims was the United\r\nKingdom’s (UK) National Health Service (NHS).  Approximately one third of the UK’s secondary care hospitals\r\n— hospitals that provide intensive care units and other emergency services — and eight percent of general\r\nmedical practices in the UK were crippled by the ransomware attack, leading to the cancellation of more than\r\n19,000 appointments and ultimately costing the NHS over $112 million, making it the biggest known ransomware\r\nhttps://home.treasury.gov/news/press-releases/sm774\r\nPage 1 of 3\n\noutbreak in history.  Lazarus Group was also directly responsible for the well-known 2014 cyber-attacks of Sony\r\nPictures Entertainment (SPE).\r\nAlso designated today are two sub-groups of Lazarus Group, the first of which is referred to as Bluenoroff by\r\nmany private security firms.  Bluenoroff was formed by the North Korean government to earn revenue illicitly in\r\nresponse to increased global sanctions.  Bluenoroff conducts malicious cyber activity in the form of cyber-enabled\r\nheists against foreign financial institutions on behalf of the North Korean regime to generate revenue, in part, for\r\nits growing nuclear weapons and ballistic missile programs.  Cybersecurity firms first noticed this group as early\r\nas 2014, when North Korea’s cyber efforts began to focus on financial gain in addition to obtaining military\r\ninformation, destabilizing networks, or intimidating adversaries.  According to industry and press reporting, by\r\n2018, Bluenoroff had attempted to steal over $1.1 billion dollars from financial institutions and, according to press\r\nreports, had successfully carried out such operations against banks in Bangladesh, India, Mexico, Pakistan,\r\nPhilippines, South Korea, Taiwan, Turkey, Chile, and Vietnam. \r\nAccording to cyber security firms, typically through phishing and backdoor intrusions, Bluenoroff conducted\r\nsuccessful operations targeting more than 16 organizations across 11 countries, including the SWIFT messaging\r\nsystem, financial institutions, and cryptocurrency exchanges.  In one of Bluenoroff’s most notorious cyber\r\nactivities, the hacking group worked jointly with Lazarus Group to steal approximately $80 million dollars from\r\nthe Central Bank of Bangladesh’s New York Federal Reserve account.  By leveraging malware similar to that seen\r\nin the SPE cyber attack, Bluenoroff and Lazarus Group made over 36 large fund transfer requests using stolen\r\nSWIFT credentials in an attempt to steal a total of $851 million before a typographical error alerted personnel to\r\nprevent the additional funds from being stolen.\r\nThe second Lazarus Group sub-group designated today is Andariel.  It focuses on conducting malicious cyber\r\noperations on foreign businesses, government agencies, financial services infrastructure, private corporations, and\r\nbusinesses, as well as the defense industry.  Cybersecurity firms first noticed Andariel around 2015, and reported\r\nthat Andariel consistently executes cybercrime to generate revenue and targets South Korea’s government and\r\ninfrastructure in order to collect information and to create disorder.\r\nSpecifically, Andariel was observed by cyber security firms attempting to steal bank card information by hacking\r\ninto ATMs to withdraw cash or steal customer information to later sell on the black market.  Andariel is also\r\nresponsible for developing and creating unique malware to hack into online poker and gambling sites to steal cash.\r\nAccording to industry and press reporting, beyond its criminal efforts, Andariel continues to conduct malicious\r\ncyber activity against South Korea government personnel and the South Korean military in an effort to gather\r\nintelligence.  One case spotted in September 2016 was a cyber intrusion into the personal computer of the South\r\nKorean Defense Minister in office at that time and the Defense Ministry’s intranet in order to extract military\r\noperations intelligence.\r\nIn addition to malicious cyber activities on conventional financial institutions, foreign governments, major\r\ncompanies, and infrastructure, North Korea’s cyber operations also target Virtual Asset Providers and\r\ncryptocurrency exchanges to possibly assist in obfuscating revenue streams and cyber-enabled thefts that also\r\npotentially fund North Korea’s WMD and ballistic missile programs.  According to industry and press reporting,\r\nhttps://home.treasury.gov/news/press-releases/sm774\r\nPage 2 of 3\n\nthese three state-sponsored hacking groups likely stole around $571 million in cryptocurrency alone, from five\r\nexchanges in Asia between January 2017 and September 2018.\r\nU.S. Government Efforts to Combat North Korean Cyber Threats\r\nSeparately, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and\r\nU.S. Cyber Command (USCYBERCOM) have in recent months worked in tandem to disclose malware samples to\r\nthe private cybersecurity industry, several of which were later attributed to North Korean cyber actors, as part of\r\nan ongoing effort to protect the U.S. financial system and other critical infrastructure as well as to have the\r\ngreatest impact on improving global security.  This, along with today’s OFAC action, is an example of a\r\ngovernment-wide approach to defending and protecting against an increasing North Korean cyber threat and is\r\none more step in the persistent engagement vision set forth by USCYBERCOM.\r\nAs a result of today’s action, all property and interests in property of these entities, and of any entities that are\r\nowned, directly or indirectly, 50 percent or more by the designated entities, that are in the United States or in the\r\npossession or control of U.S. persons are blocked and must be reported to OFAC.  OFAC’s regulations generally\r\nprohibit all dealings by U.S. persons or within (or transiting) the United States that involve any property or\r\ninterests in property of blocked or designated persons.\r\nIn addition, persons that engage in certain transactions with the entities designated today may themselves be\r\nexposed to designation.  Furthermore, any foreign financial institution that knowingly facilitates a significant\r\ntransaction or provides significant financial services for any of the entities designated today could be subject to\r\nU.S. correspondent account or payable-through sanctions.\r\nInformation on the entities designated today.\r\nSource: https://home.treasury.gov/news/press-releases/sm774\r\nhttps://home.treasury.gov/news/press-releases/sm774\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://home.treasury.gov/news/press-releases/sm774" ], "report_names": [ "sm774" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f426f0a0-faef-4c0e-bcf8-88974116c9d0", "created_at": "2022-10-25T15:50:23.240383Z", "updated_at": "2026-04-10T02:00:05.299433Z", "deleted_at": null, "main_name": "APT38", "aliases": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima", "Sapphire Sleet", "COPERNICIUM" ], "source_name": "MITRE:APT38", "tools": [ "ECCENTRICBANDWAGON", "HOPLIGHT", "Mimikatz", "KillDisk", "DarkComet" ], "source_id": "MITRE", "reports": null }, { "id": "1bdb91cf-f1a6-4bed-8cfa-c7ea1b635ebd", "created_at": "2022-10-25T16:07:23.766784Z", "updated_at": "2026-04-10T02:00:04.7432Z", "deleted_at": null, "main_name": "Bluenoroff", "aliases": [ "APT 38", "ATK 117", "Alluring Pisces", "Black Alicanto", "Bluenoroff", "CTG-6459", "Copernicium", "G0082", "Nickel Gladstone", "Sapphire Sleet", "Selective Pisces", "Stardust Chollima", "T-APT-15", "TA444", "TAG-71", "TEMP.Hermit" ], "source_name": "ETDA:Bluenoroff", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434625, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1f797c4832edd2005abaa9076ccc40d3f16bccde.pdf", "text": "https://archive.orkl.eu/1f797c4832edd2005abaa9076ccc40d3f16bccde.txt", "img": "https://archive.orkl.eu/1f797c4832edd2005abaa9076ccc40d3f16bccde.jpg" } }