{ "id": "ea02576e-f34f-4a10-8d56-d3b7c0565fa8", "created_at": "2026-04-06T00:18:15.291443Z", "updated_at": "2026-04-10T13:12:37.501235Z", "deleted_at": null, "sha1_hash": "46bde63911ff11a1937e71b2716c30e6549b0428", "title": "Guidance on the North Korean Cyber Threat | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 121498, "plain_text": "Guidance on the North Korean Cyber Threat | CISA\r\nPublished: 2020-06-23 · Archived: 2026-04-06 00:02:35 UTC\r\nSummary\r\nThe U.S. Departments of State, the Treasury, and Homeland Security, and the Federal Bureau of Investigation are\r\nissuing this advisory as a comprehensive resource on the North Korean cyber threat for the international\r\ncommunity, network defenders, and the public. The advisory highlights the cyber threat posed by North Korea –\r\nformally known as the Democratic People’s Republic of Korea (DPRK) – and provides recommended steps to\r\nmitigate the threat. In particular, Annex 1 lists U.S. government resources related to DPRK cyber threats and\r\nAnnex 2 includes a link to the UN 1718 Sanctions Committee (DPRK) Panel of Experts reports.\r\nThe DPRK’s malicious cyber activities threaten the United States and the broader international community and, in\r\nparticular, pose a significant threat to the integrity and stability of the international financial system. Under the\r\npressure of robust U.S. and UN sanctions, the DPRK has increasingly relied on illicit activities – including\r\ncybercrime – to generate revenue for its weapons of mass destruction and ballistic missile programs. In particular,\r\nthe United States is deeply concerned about North Korea’s malicious cyber activities, which the U.S. government\r\nrefers to as HIDDEN COBRA. The DPRK has the capability to conduct disruptive or destructive cyber activities\r\naffecting U.S. critical infrastructure. The DPRK also uses cyber capabilities to steal from financial institutions,\r\nand has demonstrated a pattern of disruptive and harmful cyber activity that is wholly inconsistent with the\r\ngrowing international consensus on what constitutes responsible State behavior in cyberspace. \r\nThe United States works closely with like-minded countries to focus attention on and condemn the DPRK’s\r\ndisruptive, destructive, or otherwise destabilizing behavior in cyberspace. For example, in December 2017,\r\nAustralia, Canada, New Zealand, the United States, and the United Kingdom publicly attributed the WannaCry 2.0\r\nransomware attack to the DPRK and denounced the DPRK’s harmful and irresponsible cyber activity. Denmark\r\nand Japan issued supporting statements for the joint denunciation of the destructive WannaCry 2.0 ransomware\r\nattack, which affected hundreds of thousands of computers around the world in May 2017. \r\nIt is vital for the international community, network defenders, and the public to stay vigilant and to work together\r\nto mitigate the cyber threat posed by North Korea. \r\nClick here for an English PDF version of this report.\r\nClick the following links for PDF versions of this report in Arabic, French, Japanese, Korean, Portuguese,\r\nSpanish, and traditional Chinese, and Vietnamese.\r\nTechnical Details\r\nDPRK’s Malicious Cyber Activities Targeting the Financial Sector\r\nhttps://www.us-cert.gov/ncas/alerts/aa20-106a\r\nPage 1 of 10\n\nMany DPRK cyber actors are subordinate to UN- and U.S.-designated entities, such as the Reconnaissance\r\nGeneral Bureau. DPRK state-sponsored cyber actors primarily consist of hackers, cryptologists, and software\r\ndevelopers who conduct espionage, cyber-enabled theft targeting financial institutions and digital currency\r\nexchanges, and politically-motivated operations against foreign media companies. They develop and deploy a\r\nwide range of malware tools around the world to enable these activities and have grown increasingly\r\nsophisticated. Common tactics to raise revenue illicitly by DPRK state-sponsored cyber actors include, but are not\r\nlimited to:\r\nCyber-Enabled Financial Theft and Money Laundering. The UN Security Council 1718 Committee Panel of\r\nExperts’ 2019 mid-term report (2019 POE mid-term report) states that the DPRK is increasingly able to generate\r\nrevenue notwithstanding UN Security Council sanctions by using malicious cyber activities to steal from financial\r\ninstitutions through increasingly sophisticated tools and tactics. The 2019 POE mid-term report notes that, in some\r\ncases, these malicious cyber activities have also extended to laundering funds through multiple jurisdictions. The\r\n2019 POE mid-term report mentions that it was investigating dozens of suspected DPRK cyber-enabled heists and\r\nthat, as of late 2019, the DPRK has attempted to steal as much as $2 billion through these illicit cyber\r\nactivities. Allegations in a March 2020 Department of Justice forfeiture complaint are consistent with portions of\r\nthe POE’s findings. Specifically, the forfeiture complaint alleged how North Korean cyber actors used North\r\nKorean infrastructure in furtherance of their conspiracy to hack digital currency exchanges, steal hundreds of\r\nmillions of dollars in digital currency, and launder the funds.\r\nExtortion Campaigns. DPRK cyber actors have also conducted extortion campaigns against third-country entities\r\nby compromising an entity’s network and threatening to shut it down unless the entity pays a ransom. In some\r\ninstances, DPRK cyber actors have demanded payment from victims under the guise of long-term paid consulting\r\narrangements in order to ensure that no such future malicious cyber activity takes place. DPRK cyber actors have\r\nalso been paid to hack websites and extort targets for third-party clients.\r\nCryptojacking. The 2019 POE mid-term report states that the POE is also investigating the DPRK’s use of\r\n“cryptojacking,” a scheme to compromise a victim machine and steal its computing resources to mine digital\r\ncurrency. The POE has identified several incidents in which computers infected with cryptojacking malware sent\r\nthe mined assets – much of it anonymity-enhanced digital currency (sometimes also referred to as “privacy coins”)\r\n– to servers located in the DPRK, including at Kim Il Sung University in Pyongyang.\r\nThese activities highlight the DPRK’s use of cyber-enabled means to generate revenue while mitigating the impact\r\nof sanctions and show that any country can be exposed to and exploited by the DPRK. According to the 2019 POE\r\nmid-term report, the POE is also investigating such activities as attempted violations of UN Security Council\r\nsanctions on the DPRK.\r\nCyber Operations Publicly Attributed to DPRK by U.S. Government\r\nThe DPRK has repeatedly targeted U.S. and other government and military networks, as well as networks related\r\nto private entities and critical infrastructure, to steal data and conduct disruptive and destructive cyber\r\nactivities. To date, the U.S. government has publicly attributed the following cyber incidents to DPRK state-sponsored cyber actors and co-conspirators:\r\nhttps://www.us-cert.gov/ncas/alerts/aa20-106a\r\nPage 2 of 10\n\nSony Pictures. In November 2014, DPRK state-sponsored cyber actors allegedly launched a cyber attack\r\non Sony Pictures Entertainment (SPE) in retaliation for the 2014 film “The Interview.” DPRK cyber actors\r\nhacked into SPE’s network to steal confidential data, threatened SPE executives and employees, and\r\ndamaged thousands of computers.\r\nFBI’s Update on Sony Investigation (Dec. 19, 2014) https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation\r\nDOJ’s Criminal Complaint of a North Korean Regime-Backed Programmer (Sept. 6, 2018)\r\nhttps://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and\r\nBangladesh Bank Heist. In February 2016, DPRK state-sponsored cyber actors allegedly attempted to\r\nsteal at least $1 billion from financial institutions across the world and allegedly stole $81 million from the\r\nBangladesh Bank through unauthorized transactions on the Society for Worldwide Interbank Financial\r\nTelecommunication (SWIFT) network. According to the complaint, DPRK cyber actors accessed the\r\nBangladesh Bank’s computer terminals that interfaced with the SWIFT network after compromising the\r\nbank’s computer network via spear phishing emails targeting bank employees. DPRK cyber actors then\r\nsent fraudulently authenticated SWIFT messages directing the Federal Reserve Bank of New York to\r\ntransfer funds out of the Bangladesh Bank’s Federal Reserve account to accounts controlled by the\r\nconspirators.\r\nDOJ’s Criminal Complaint of a North Korean Regime-Backed Programmer (Sept. 6, 2018)\r\nhttps://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and\r\nWannaCry 2.0. DPRK state-sponsored cyber actors developed the ransomware known as WannaCry 2.0,\r\nas well as two prior versions of the ransomware. In May 2017, WannaCry 2.0 ransomware infected\r\nhundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries. \r\nWannaCry 2.0 ransomware encrypts an infected computer’s data and allows the cyber actors to demand\r\nransom payments in the Bitcoin digital currency. The Department of the Treasury designated one North\r\nKorean computer programmer for his part in the WannaCry 2.0 conspiracy, as well as his role in the Sony\r\nPictures cyber attack and Bangladesh Bank heist, and additionally designated the organization he worked\r\nfor.\r\nCISA’s Technical Alert: Indicators Associated with WannaCry Ransomware (May 12, 2017)\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-132A\r\nWhite House Press Briefing on the Attribution of WannaCry Ransomware (Dec. 19, 2017)\r\nhttps://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/\r\nDOJ’s Criminal Complaint of a North Korean Regime-Backed Programmer (Sept. 6, 2018)\r\nhttps://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and\r\nTreasury Targets North Korea for Multiple Cyber-Attacks (Sept. 6, 2018)\r\nhttps://home.treasury.gov/news/press-releases/sm473\r\nFASTCash Campaign. Since late 2016, DPRK state-sponsored cyber actors have employed a fraudulent\r\nATM cash withdrawal scheme known as “FASTCash” to steal tens of millions of dollars from ATMs in\r\nAsia and Africa.  FASTCash schemes remotely compromise payment switch application servers within\r\nhttps://www.us-cert.gov/ncas/alerts/aa20-106a\r\nPage 3 of 10\n\nbanks to facilitate fraudulent transactions. In one incident in 2017, DPRK cyber actors enabled the\r\nwithdrawal of cash simultaneously from ATMs located in more than 30 different countries. In another\r\nincident in 2018, DPRK cyber actors enabled cash to be simultaneously withdrawn from ATMs in 23\r\ndifferent countries.\r\nCISA’s Alert on FASTCash Campaign (Oct. 2, 2018) https://www.us-cert.gov/ncas/alerts/TA18-\r\n275A\r\nCISA’s Malware Analysis Report: FASTCash-Related Malware (Oct. 2, 2018) https://www.us-cert.gov/ncas/analysis-reports/AR18-275A\r\nDigital Currency Exchange Hack. As detailed in allegations set forth in a Department of Justice\r\ncomplaint for forfeiture in rem, in April 2018, DPRK state-sponsored cyber actors hacked into a digital\r\ncurrency exchange and stole nearly $250 million worth of digital currency. The complaint further described\r\nhow the stolen assets were laundered through hundreds of automated digital currency transactions, to\r\nobfuscate the origins of the funds, in an attempt to prevent law enforcement from tracing the assets. Two\r\nChinese nationals are alleged in the complaint to have subsequently laundered the assets on behalf of the\r\nNorth Korean group, receiving approximately $91 million from DPRK-controlled accounts, as well as an\r\nadditional $9.5 million from a hack of another exchange. In March 2020, the Department of the Treasury\r\ndesignated the two individuals under cyber and DPRK sanctions authorities, concurrent with a Department\r\nof Justice announcement that the individuals had been previously indicted on money laundering and\r\nunlicensed money transmitting charges and that 113 digital currency accounts were subject to forfeiture.\r\nTreasury’s Sanctions against Individuals Laundering Cryptocurrency for Lazarus Group (March 2,\r\n2020) https://home.treasury.gov/news/press-releases/sm924\r\nDOJ’s Indictment of Two Chinese Nationals Charged with Laundering Cryptocurrency from\r\nExchange Hack and Civil Forfeiture Complaint (March 2, 2020)\r\nhttps://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack\r\nMitigations\r\nMeasures to Counter the DPRK Cyber Threat\r\nNorth Korea targets cyber-enabled infrastructure globally to generate revenue for its regime priorities, including\r\nits weapons of mass destruction programs. We strongly urge governments, industry, civil society, and individuals\r\nto take all relevant actions below to protect themselves from and counter the DPRK cyber threat:\r\nRaise Awareness of the DPRK Cyber Threat. Highlighting the gravity, scope, and variety of malicious\r\ncyber activities carried out by the DPRK will raise general awareness across the public and private sectors\r\nof the threat and promote adoption and implementation of appropriate preventive and risk mitigation\r\nmeasures.\r\nShare Technical Information of the DPRK Cyber Threat. Information sharing at both the national and\r\ninternational levels to detect and defend against the DPRK cyber threat will enable enhanced cybersecurity\r\nof networks and systems.  Best practices should be shared with governments and the private sector.  Under\r\nthe provisions of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. §§ 1501–1510), non-federal\r\nhttps://www.us-cert.gov/ncas/alerts/aa20-106a\r\nPage 4 of 10\n\nentities may share cyber threat indicators and defensive measures related to HIDDEN COBRA with federal\r\nand non-federal entities.\r\nImplement and Promote Cybersecurity Best Practices. Adopting measures – both technical and\r\nbehavioral – to enhance cybersecurity will make U.S. and global cyber infrastructure more secure and\r\nresilient. Financial institutions, including money services businesses, should take independent steps to\r\nprotect against malicious DPRK cyber activities. Such steps may include, but are not limited to, sharing\r\nthreat information through government and/or industry channels, segmenting networks to minimize risks,\r\nmaintaining regular backup copies of data, undertaking awareness training on common social engineering\r\ntactics, implementing policies governing information sharing and network access, and developing cyber\r\nincident response plans. The Department of Energy’s Cybersecurity Capability Maturity Model and the\r\nNational Institute of Standards and Technology’s Cybersecurity Framework provide guidance on\r\ndeveloping and implementing robust cybersecurity practices. As shown in Annex I, the Cybersecurity and\r\nInfrastructure Security Agency (CISA) provides extensive resources, including technical alerts and\r\nmalware analysis reports, to enable network defenders to identify and reduce exposure to malicious cyber\r\nactivities.\r\nNotify Law Enforcement. If an organization suspects that it has been the victim of malicious cyber\r\nactivity, emanating from the DPRK or otherwise, it is critical to notify law enforcement in a timely\r\nfashion.  This not only can expedite the investigation, but also, in the event of a financial crime, can\r\nincrease the chances of recovering any stolen assets.\r\nU.S. law enforcement has seized millions of dollars’ worth of digital currency stolen by North Korean\r\ncyber actors.  All types of financial institutions, including money services businesses, are encouraged to\r\ncooperate on the front end by complying with U.S. law enforcement requests for information regarding\r\nthese cyber threats, and on the back end by identifying forfeitable assets upon receipt of a request from\r\nU.S. law enforcement or U.S. court orders, and by cooperating with U.S. law enforcement to support the\r\nseizure of such assets.\r\nStrengthen Anti-Money Laundering (AML) / Countering the Financing of Terrorism (CFT) /\r\nCounter-Proliferation Financing (CPF) Compliance.  Countries should swiftly and effectively\r\nimplement the Financial Action Task Force (FATF) standards on AML/CFT/CPF.  This includes ensuring\r\nfinancial institutions and other covered entities employ risk mitigation measures in line with the FATF\r\nstandards and FATF public statements and guidance.  Specifically, the FATF has called for all countries to\r\napply countermeasures to protect the international financial system from the ongoing money laundering,\r\nterrorist financing, and proliferation financing risks emanating from the DPRK.[1]   This includes\r\nadvising all financial institutions and other covered entities to give special attention to business\r\nrelationships and transactions with the DPRK, including DPRK companies, financial institutions, and those\r\nacting on their behalf.  In line with UN Security Council Resolution 2270 Operative Paragraph 33, Member\r\nStates should close existing branches, subsidiaries, and representative offices of DPRK banks within their\r\nterritories and terminate correspondent relationships with DPRK banks.\r\n \r\nFurther, in June 2019, FATF amended its standards to require all countries regulate and supervise digital\r\nasset service providers, including digital currency exchanges, and mitigate against risks when engaging in\r\ndigital currency transactions. Digital asset service providers should remain alert to changes in customers’\r\nhttps://www.us-cert.gov/ncas/alerts/aa20-106a\r\nPage 5 of 10\n\nactivities, as their business may be used to facilitate money laundering, terrorist financing, and proliferation\r\nfinancing. The United States is particularly concerned about platforms that provide anonymous payment\r\nand account service functionality without transaction monitoring, suspicious activity reporting, and\r\ncustomer due diligence, among other obligations.\r\nU.S. financial institutions, including foreign-located digital asset service providers doing business in whole\r\nor substantial part in the United States, and other covered businesses and persons should ensure that they\r\ncomply with their regulatory obligations under the Bank Secrecy Act (as implemented through the\r\nDepartment of the Treasury’s Financial Crimes Enforcement Network (FinCEN) regulations in 31 CFR\r\nChapter X).  For financial institutions, these obligations include  developing and maintaining effective anti-money laundering programs that are reasonably designed to prevent the money services business from\r\nbeing used to facilitate money laundering and the financing of terrorist activities, as well as identifying and\r\nreporting suspicious transactions, including those conducted, affected, or facilitated by cyber events or\r\nillicit finance involving digital assets, in suspicious activity reporting to FinCEN.\r\nInternational Cooperation\r\nTo counter the DPRK’s malicious cyber activities, the United States regularly engages with countries around the\r\nworld to raise awareness of the DPRK cyber threat by sharing information and evidence via diplomatic, military,\r\nlaw enforcement and judicial, network defense, and other channels.  To hamper the DPRK’s efforts to steal funds\r\nthrough cyber means and to defend against the DPRK’s malicious cyber activities, the United States strongly\r\nurges countries to strengthen network defense, shutter DPRK joint ventures in third countries, and expel foreign-located North Korean information technology (IT) workers in a manner consistent with applicable international\r\nlaw.  A 2017 UN Security Council resolution required all Member States to repatriate DPRK nationals earning\r\nincome abroad, including IT workers, by December 22, 2019.  The United States also seeks to enhance the\r\ncapacity of foreign governments and the private sector to understand, identify, defend against, investigate,\r\nprosecute, and respond to DPRK cyber threats and participate in international efforts to help ensure the stability of\r\ncyberspace. \r\nConsequences of Engaging in Prohibited or Sanctionable Conduct\r\nIndividuals and entities engaged in or supporting DPRK cyber-related activity, including processing related\r\nfinancial transactions, should be aware of the potential consequences of engaging in prohibited or sanctionable\r\nconduct.\r\nThe Department of the Treasury’s Office of Foreign Assets Control (OFAC) has the authority to impose sanctions\r\non any person determined to have, among other things:\r\nEngaged in significant activities undermining cybersecurity on behalf of the Government of North Korea\r\nor the Workers’ Party of Korea;\r\nOperated in the information technology (IT) industry in North Korea;\r\nEngaged in certain other malicious cyber-enabled activities; or\r\nEngaged in at least one significant importation from or exportation to North Korea of any goods, services,\r\nor technology.\r\nhttps://www.us-cert.gov/ncas/alerts/aa20-106a\r\nPage 6 of 10\n\nAdditionally, if the Secretary of the Treasury, in consultation with the Secretary of State, determines that a foreign\r\nfinancial institution has knowingly conducted or facilitated significant trade with North Korea, or knowingly\r\nconducted or facilitated a significant transaction on behalf of a person designated under a North Korea-related\r\nExecutive Order, or under Executive Order 13382 (Weapons of Mass Destruction Proliferators and Their\r\nSupporters) for North Korea-related activity, that institution may, among other potential restrictions, lose the\r\nability to maintain a correspondent or payable-through account in the United States.\r\nOFAC investigates apparent violations of its sanctions regulations and exercises enforcement authority, as outlined\r\nin the Economic Sanctions Enforcement Guidelines, 31 C.F.R. part 501, appendix A. Persons who violate the\r\nNorth Korea Sanctions Regulations, 31 C.F.R. part 510, may face civil monetary penalties of up to the greater of\r\nthe applicable statutory maximum penalty or twice the value of the underlying transaction.\r\nThe 2019 POE mid-term report notes the DPRK’s use, and attempted use, of cyber-enabled means to steal funds\r\nfrom banks and digital currency exchanges could violate multiple UN Security Council resolutions (UNSCRs)\r\n(i.e., UNSCR 1718 operative paragraph (OP) 8(d); UNSCR 2094, OPs 8 and 11; and UNSCR 2270, OP 32). The\r\nDPRK-related UNSCRs also provide various mechanisms for encouraging compliance with DPRK-related\r\nsanctions imposed by the UN. For example, the UN Security Council 1718 Committee may impose targeted\r\nsanctions (i.e., an asset freeze and, for individuals, a travel ban) on any individual or entity who engages in a\r\nbusiness transaction with UN-designated entities or sanctions evasion. \r\nThe Department of Justice criminally prosecutes willful violations of applicable sanctions laws, such as the\r\nInternational Emergency Economic Powers Act, 50 U.S.C. §§ 1701 et seq.  Persons who willfully violate such\r\nlaws may face up to 20 years of imprisonment, fines of up to $1 million or totaling twice the gross gain,\r\nwhichever is greater, and forfeiture of all funds involved in such transactions. The Department of Justice also\r\ncriminally prosecutes willful violations of the Bank Secrecy Act (BSA), 31 U.S.C. §§ 5318 and 5322, which\r\nrequires financial institutions to, among other things, maintain effective anti-money laundering programs and file\r\ncertain reports with FinCEN. Persons violating the BSA may face up to 5 years imprisonment, a fine of up to\r\n$250,000, and potential forfeiture of property involved in the violations. Where appropriate, the Department of\r\nJustice will also criminally prosecute corporations and other entities that violate these statutes. The Department of\r\nJustice also works with foreign partners to share evidence in support of each other’s criminal investigations and\r\nprosecutions.\r\nPursuant to 31 U.S. Code § 5318(k), the Secretary of the Treasury or the Attorney General may subpoena a foreign\r\nfinancial institution that maintains a correspondent bank account in the United States for records stored\r\noverseas. Where the Secretary of the Treasury or Attorney General provides written notice to a U.S. financial\r\ninstitution that a foreign financial institutions has failed to comply with such a subpoena, the U.S. financial\r\ninstitution must terminate the correspondent banking relationship within ten business days. Failure to do so may\r\nsubject the U.S. financial institutions to daily civil penalties.\r\nDPRK Rewards for Justice\r\nIf you have information about illicit DPRK activities in cyberspace, including past or ongoing operations,\r\nproviding such information through the Department of State’s Rewards for Justice program could make you\r\neligible to receive an award of up to $5 million. For further details, please visit www.rewardsforjustice.net .\r\nhttps://www.us-cert.gov/ncas/alerts/aa20-106a\r\nPage 7 of 10\n\nANNEX I: USG Public Information on and Resources to Counter the DPRK Cyber Threat\r\nOffice of the Director of National Intelligence Annual Worldwide Threat Assessments of the U.S.\r\nIntelligence Community.  In 2019, the U.S. Intelligence Community assessed that the DPRK poses a significant\r\ncyber threat to financial institutions, remains a cyber espionage threat, and retains the ability to conduct disruptive\r\ncyber attacks. The DPRK continues to use cyber capabilities to steal from financial institutions to generate\r\nrevenue. Pyongyang’s cybercrime operations include attempts to steal more than $1.1 billion from financial\r\ninstitutions across the world – including a successful cyber heist of an estimated $81 million from Bangladesh\r\nBank. The report can be found at https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf.\r\nCybersecurity and Infrastructure Security Agency (CISA) Technical Reports. The U.S. government refers to\r\nthe malicious cyber activities by the DPRK as HIDDEN COBRA. HIDDEN COBRA reports provide technical\r\ndetails on the tools and infrastructure used by DPRK cyber actors. These reports enable network defenders to\r\nidentify and reduce exposure to the DPRK’s malicious cyber activities. CISA’s website contains the latest updates\r\non these persistent threats: https://www.us-cert.gov/northkorea. \r\nAdditionally, CISA provides extensive cybersecurity and infrastructure security knowledge and practices to its\r\nstakeholders, shares that knowledge to enable better risk management, and puts it into practice to protect the\r\nnation’s critical functions. Below are the links to CISA’s resources:\r\nProtecting Critical Infrastructure: https://www.cisa.gov/protecting-critical-infrastructure\r\nCyber Safety: https://www.cisa.gov/cyber-safety\r\nDetection and Prevention: https://www.cisa.gov/detection-and-prevention\r\nInformation Sharing: https://www.cisa.gov/information-sharing-and-awareness\r\nCISA Insights: https://www.cisa.gov/insights\r\nCombating Cyber Crime: https://www.cisa.gov/combating-cyber-crime\r\nCyber Essentials: https://www.cisa.gov/cyber-essentials\r\nTips: https://www.us-cert.gov/ncas/tips\r\nNational Cyber Awareness System: https://www.us-cert.gov/ncas\r\nIndustrial Control Systems Advisories: https://www.us-cert.gov/ics\r\nReport Incidents, Phishing, Malware, and Vulnerabilities: https://www.us-cert.gov/report\r\nFBI PIN and FLASH Reports.  FBI Private Industry Notifications (PIN) provide current information that will\r\nenhance the private sector’s awareness of a potential cyber threat. FBI Liaison Alert System (FLASH) reports\r\ncontain critical information collected by the FBI for use by specific private sector partners. They are intended to\r\nprovide recipients with actionable intelligence that help cybersecurity professionals and system administrators to\r\nguard against the persistent malicious actions of cyber criminals. If you identify any suspicious activity within\r\nyour enterprise or have related information, please contact FBI CYWATCH immediately. For DPRK-related cyber\r\nthreat PIN or FLASH reports, contact cywatch@fbi.gov . \r\nFBI Cyber Division: https://www.fbi.gov/investigate/cyber\r\nFBI Legal Attaché Program: The FBI Legal Attaché’s core mission is to establish and maintain liaison with\r\nprincipal law enforcement and security services in designated foreign countries. \r\nhttps://www.us-cert.gov/ncas/alerts/aa20-106a\r\nPage 8 of 10\n\nhttps://www.fbi.gov/contact-us/legal-attache-offices\r\nU.S. Cyber Command Malware Information Release. The Department of Defense’s cyber forces actively seek\r\nout DPRK malicious cyber activities, including DPRK malware that exploits financial institutions, conducts\r\nespionage, and enables  malicious cyber activities against the U.S. and its partners. U.S. Cyber Command\r\nperiodically releases malware information, identifying vulnerabilities for industry and government to defend their\r\ninfrastructure and networks against DPRK illicit activities. Malware information to bolster cybersecurity can be\r\nfound at the following Twitter accounts: @US_CYBERCOM and @CNMF_VirusAlert.\r\nU.S. Department of the Treasury Sanctions Information and Illicit Finance Advisories. The Office of\r\nForeign Assets Control’s (OFAC’s) online Resource Center provides a wealth of information regarding DPRK\r\nsanctions and sanctions with respect to malicious cyber-enabled activities, including sanctions advisories, relevant\r\nstatutes, Executive Orders, rules, and regulations relating to DPRK and cyber-related sanctions. OFAC has also\r\npublished several frequently asked questions (FAQs) relating to DPRK sanctions, cyber-related sanctions, and\r\ndigital currency. For questions or concerns related to OFAC sanctions regulations and requirements, please contact\r\nOFAC’s Compliance Hotline at 1-800-540-6322 or OFAC_Feedback@treasury.gov . \r\nDPRK Sanctions\r\nhttps://www.treasury.gov/resource-center/sanctions/Programs/pages/nkorea.aspx\r\nFAQs - https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#nk\r\nMalicious Cyber Activities Sanctions\r\nhttps://www.treasury.gov/resource-center/sanctions/Programs/pages/cyber.aspx\r\nFAQs - https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_other.aspx#cyber\r\nFAQs on Virtual Currency - https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_compliance.aspx#vc_faqs\r\nFinancial Crimes Enforcement Network (FinCEN) has issued an advisory on North Korea’s use of the\r\ninternational financial system (https://www.fincen.gov/resources/advisories/fincen-advisory-fin-2017-a008).\r\nFinCEN also issued specific advisories to financial institutions with suspicious activity reporting obligations that\r\nprovide guidance on when and how to report cybercrime and/or digital currency-related criminal activity:\r\nCybercrime\r\nhttps://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a005\r\nIllicit digital currency activity\r\nhttps://www.fincen.gov/resources/advisories/fincen-advisory-fin-2019-a003\r\nBusinesses e-mail compromise\r\nhttps://www.fincen.gov/resources/advisories/fincen-advisory-fin-2019-a005\r\nhttps://www.fincen.gov/resources/advisories/fincen-advisory-fin-2016-a003 \r\nFederal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to\r\nhelp financial institutions identify their risks and determine their cybersecurity preparedness. The assessment tool\r\ncan be found at https://www.ffiec.gov/cyberassessmenttool.htm.\r\nANNEX II: UN Panel of Experts Reports on the DPRK Cyber Threat\r\nhttps://www.us-cert.gov/ncas/alerts/aa20-106a\r\nPage 9 of 10\n\nUN 1718 Sanctions Committee (DPRK) Panel of Experts Reports. The UN Security Council 1718 Sanctions\r\nCommittee on the DPRK is supported by a Panel of Experts, who “gather, examine, and analyze information”\r\nfrom UN Member States, relevant UN bodies, and other parties on the implementation of the measures outlined in\r\nthe UN Security Council Resolutions against North Korea. The Panel also makes recommendations on how to\r\nimprove sanctions implementation by providing both a Midterm and a Final Report to the 1718 Committee. These\r\nreports can be found at https://www.un.org/securitycouncil/sanctions/1718/panel_experts/reports .\r\nReferences\r\n[1] FATF Call to Action on North Korea\r\nRevisions\r\nApril 15, 2020: Initial Version|April 30, 2020: Added PDF versions of this report in Arabic, French, Japanese,\r\nKorean, Portuguese, Spanish, and traditional Chinese.|June 16, 2020: Added PDF version of this report in\r\nVietnamese.\r\nSource: https://www.us-cert.gov/ncas/alerts/aa20-106a\r\nhttps://www.us-cert.gov/ncas/alerts/aa20-106a\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.us-cert.gov/ncas/alerts/aa20-106a" ], "report_names": [ "aa20-106a" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434695, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/46bde63911ff11a1937e71b2716c30e6549b0428.pdf", "text": "https://archive.orkl.eu/46bde63911ff11a1937e71b2716c30e6549b0428.txt", "img": "https://archive.orkl.eu/46bde63911ff11a1937e71b2716c30e6549b0428.jpg" } }