← Back to all briefings

Cybersecurity · Credibility 40/100 · · 5 min read

Cybersecurity Briefing — DPRK revenue operations keep targeting banks and research networks

CISA’s AA20-106A advisory details how North Korean operators continue to steal from banks, digital currency exchanges, and COVID-19 research programs, forcing CISOs to harden payment platforms, AML workflows, and intelligence sharing.

Executive briefing: AA20-106A consolidates the Departments of State, Treasury, Homeland Security, and the FBI’s evidence that DPRK-linked operators still monetize intrusions into banks, digital currency exchanges, and COVID-19 research. The alert explains how HIDDEN COBRA teams launder funds through cutouts, run extortion schemes, and hijack research networks—requiring CISOs to integrate law enforcement touchpoints into their incident playbooks and revisit sanctions controls.

Financial-sector containment priorities

  • Segment critical payment infrastructure. Keep SWIFT gateways, digital currency custody wallets, and core banking workloads isolated from desktop domains so that a compromised VPN credential cannot directly pivot into the payment chain.
  • Instrument AML triggers for cyber events. Teach transaction monitoring teams to treat sudden withdrawals, mixer transfers, or DPRK-associated privacy coins as sanctions risk indicators that must be escalated alongside the cyber incident.
  • Share IOCs immediately. Use the Cybersecurity Information Sharing Act channels, FS-ISAC circuits, or Treasury 314(b) notices to move DPRK indicators across peer institutions while the campaign is still active.

Governance and coordination moves

  • Rehearse joint responses. Walk executives through the exact FBI, OFAC, and FinCEN contacts referenced in the alert so legal and security teams know how to freeze accounts, file SARs, and preserve evidence without tipping off adversaries.
  • Update supplier requirements. Force cryptocurrency processors, correspondent banks, and research partners to document how they manage DPRK-attributed techniques such as cryptojacking, FASTCash ATM malware, and ransomware-enabled extortion.
  • Review sanctions screening. Confirm your sanctions tooling watches for designated DPRK personas, their front companies, and the 113 digital currency accounts Treasury already tied to laundering schemes.

Source excerpts

Primary — system-wide threat: “The DPRK’s malicious cyber activities…pose a significant threat to the integrity and stability of the international financial system.”

CISA — AA20-106A

Primary — scale of theft: “The 2019 POE mid-term report notes that…it was investigating dozens of suspected DPRK cyber-enabled heists and that, as of late 2019, the DPRK has attempted to steal as much as $2 billion through these illicit cyber activities.”

CISA — AA20-106A
  • AA20-106A
  • DPRK
  • Hidden Cobra
Back to curated briefings