US doubles bounty on Lazarus cyber crime group to $10m

The US State Department has doubled its reward for information on cyber threat actors located in, or linked to, North Korea from $5m to $10m (£4.2m to £8.3m), including the likes of Andariel, Bluenoroff, Kimsuky, and the notorious Lazarus syndicate, the group implicated in the 2017 WannaCry incident and a spate of other attacks.

In a new notice posted to Twitter, the Rewards for Justice programme – which was established in the 1980s to offer bounties for information on terrorism and, latterly, cyber crime – invited anyone with information on these groups to contact it through its dark web-based Tor tip line.

REWARD! Up to $10M for information on DPRK-linked malicious #cyber activity & #cyberthreat actors.

Got a tip on the Lazarus Group, Kimsuky, Bluenoroff, Andariel, or others? Send it to RFJ via our TOR-based tip line. https://t.co/oZCKNHU3fY pic.twitter.com/ONKHXwWiV1

— Rewards for Justice (@RFJ_USA) July 26, 2022

The State Department said North Korean threat actors were targeting US critical infrastructure with disruptive cyber attacks in violation of the Computer Fraud and Abuse Act, as well as targeting financial institutions – including cryptocurrency exchanges – and businesses to steal funds in support of North Korea’s nuclear and ballistic missile programmes, in contravention of sanctions against the regime.

Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi, a specialist in machine identity management, said the doubling of the reward showed how much of a threat North Korean actors have become in the international cyber crime sphere.

“Our research shows that the proceeds of cyber criminal activities from infamous groups such as Lazarus and APT38 – which are both named by the US State Department – are being used to circumvent international sanctions in North Korea,” said Bocek.

“This money is being funneled directly into weapons programmes and cyber crime has become an essential cog in the ongoing survival of Kim Jong Un’s dictatorship. Worryingly, this blueprint is also being mimicked by other rogue states. So, cutting North Korean cyber crime off at the source is essential to the national security of the US and its allies.”

He added: “Governments and businesses must act together and share intelligence on these attacks to build knowledge on the importance of machine identities in security, otherwise we’ll continue to see North Korean threat actors thrive.”

The latest call to action comes a week after the US Justice Department seized about $500,000 worth of cryptocurrency from another North Korean cyber criminal operation going by the name of Maui.

The sums included ransomware payments made by two healthcare organisations, both of which are being returned to the victims.

According to court documents, the action was made possible because the first victim, an unnamed organisation based in the state of Kansas, promptly notified the FBI of the incident, admitted it had had to make a payment (not advised) to recover access to its systems, and fully cooperated with the subsequent investigation.

In the course of its probe, the FBI was able to identify the Maui ransomware – which had not been seen before – and could easily trace the payment to a China-based money launderer. The subsequent seizure, made in April, led the investigators to other accounts and a second victim, another healthcare organisation from the state of Colorado.

“Reporting cyber incidents to law enforcement and cooperating with investigations not only protects the United States, it is also good business,” said assistant attorney general Matthew Olsen of the Justice Department’s National Security Division.

“The reimbursement to these victims of the ransom shows why it pays to work with law enforcement.”