The U.S. Departments of State, the Treasury and Homeland Security and the Federal Bureau of Investigation issued a joint advisory (the Advisory) on April 15, 2020, discussing the threat to the international community posed by cyberattacks linked to the Democratic People’s Republic of Korea (North Korea), in particular highlighting concerns for the financial services sector. North Korea has been subjected to comprehensive international sanctions implemented to pressure its government to denuclearize. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has implemented additional unilateral sanctions in response to other North Korean activities, including cyberattacks, human rights violations and money laundering. In addition to broad prohibitions on trade with North Korea, U.S. sanctions bar domestic financial institutions from conducting or facilitating any significant transaction in connection with trade with North Korea or on behalf of any person whose property has been blocked under executive orders imposing sanctions on North Korea. Foreign financial institutions risk secondary sanctions for engaging in the same.1
As a result, North Korea has increasingly used cybercrime, such as ransomware attacks, to raise funds to support its weapons of mass destruction and ballistic missile programs. Recent examples of cyberattacks attributed to North Korea include WannaCry 2.0, a 2017 ransomware cyberattack that infected hundreds of thousands of computers and IT resources in over 150 countries, and the Digital Currency Exchange Hack, a hack into a digital currency exchange that stole approximately $250 million worth of digital currency. These incidents, and other similar digital attacks, victimized institutions and individuals alike with monetary losses, data loss or corruption as well as system downtime that can have a cascading effect to operations, productivity, profits and market reputation.
The Advisory notes that to avoid falling victim to North Korean cyberattacks, people can take the following steps, among others:
- Raise awareness of the North Korean cyber threat. OFAC recommends that organizations highlight the gravity, scope and variety of malicious cyber activities carried out by North Korea to raise awareness of the threat in the public and private sectors. Further, awareness raising will promote adoption and implementation of preventive and risk mitigation measures. For private-sector companies, this means incorporating a more sophisticated understanding of the North Korean cyber threat into risk assessments and planning as well as management discussions about evolving risks for governance purposes.
- Share technical information of the North Korean cyber threat. Information sharing — across the private and public sectors — can assist in the detection and defense against North Korean cyber threats. Technical information sharing enables organizations to enhance their cybersecurity networks and systems. The Cybersecurity Information Sharing Act of 2015 permits nonfederal entities to share cyber threat indicators and defensive measures with federal and nonfederal entities and provides some limited liability shields from privacy claims where entities share information pursuant to certain protocols.2
- Implement and promote cybersecurity best practices. Adopting cybersecurity best practices helps to create a secure and resilient international cybersecurity infrastructure. The Advisory recommends that financial institutions take independent steps to protect against the North Korean cyber threat. For example, organizations can segment networks to minimize risk, maintain regular backup copies of data, undertake awareness training on common social engineering tactics and develop more comprehensive incident response plans. Cybersecurity best practices are discussed further below.
- Notify law enforcement. Organizations should notify law enforcement when malicious cyber activity is suspected. Timely notification to law enforcement can expedite investigations and increase the chances that stolen assets can be recovered.
- Strengthen anti-money-laundering (AML), countering the financing of terrorism (CFT) and counter proliferation financing (CPF) compliance. Countries should implement risk mitigation measures in line with the Financial Action Task Force (FATF) standards on AML, CFT and CPF. FAFT has called for all countries to apply countermeasures to protect against North Korean cyberattacks, with special attention to financial institutions with business relationships with North Korea or North Korean companies. The U.S. government expects financial institutions and other payment processors to engage in transaction monitoring, customer due diligence and suspicious activity reporting and notes that platforms operating with potential anonymous payment activity and outside of compliance with AML expectations are of particular concern.
The Advisory’s recommendations are in accord with general cybersecurity regulations that govern financial institutions. The Gramm-Leach-Bliley Act requires financial institutions to develop written information security plans. Security plans must include a comprehensive safeguards program that is regularly monitored and tested and a risk assessment plan that can be used to appropriately modify cybersecurity practices.3 Financial regulators have in recent years have also stressed the important of business continuity and disaster recovery planning, critical to mitigating ransomware risks, in examinations. Companies can also look to the National Institute of Standards and Technology framework for guidance on how to best monitor, detect and prevent cyber threats.4
This Advisory forms part of OFAC’s current focus on North Korea and follows OFAC’s publication of amended North Korea Sanctions Regulations (31 C.F.R. Part 510) on April 10, 2020, incorporating into the regulations the blocking and correspondent banking sanctions present in the North Korea Sanctions and Policy Enhancement Act of 2016, as amended by the Countering America’s Adversaries Through Sanctions Act and the National Defense Authorization Act for Fiscal Year 2020.
Individuals and entities must take steps to ensure that they do not engage in any activities that support North Korea’s cyberattacks, including processing related financial transactions, or risk violating both U.S. and United Nations sanctions. If OFAC determines that a foreign financial institution has facilitating any significant transaction in connection with the government of North Korea, that institution may face secondary sanctions, including losing the ability to maintain a correspondent account in the United States or designation as a Specially Designated National. Maximum civil penalties for sanctions violations are the greater of $307,922 or twice the value of the transaction, per violation.5
1 E.O. 13810, Imposing Additional Sanctions With Respect to North Korea (September 20, 2017).
2 6 U.S.C. §§ 1501–1510
3 Federal Trade Commission, Financial Institutions and Customer Information: Complying with the Safeguards Rule (2006), https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying.
4 National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (April 16, 2018).
5 North Korea Sanctions Regulations, 31 C.F.R. § 510.701 (2020).