U.S. imposes sanctions on North Korea for Sony hack

WASHINGTON - Two weeks after blaming North Korea for hacking into Sony Pictures, the Obama administration on Friday imposed new sanctions on the repressive government as part of what it described as a broader attempt to tackle threats to U.S. cybersecurity.

Under a new executive order signed by President Obama, the Treasury Department imposed financial measures on 10 North Korean officials and three government agencies. Although it is unclear how those sanctions might deter future cyberassaults, officials said they expected financial institutions in other countries to take notice and to complicate North Korean business dealings.

"This attack on Sony Pictures Entertainment clearly crossed a threshold for us," one U.S. official said, citing concerns about the growing sophistication and danger posed by cybersecurity threats in general.

"You should see this as part of a broader effort to raise the baseline level of cybersecurity across the country and tackle these threats head-on."

The targets of the new sanctions include the Reconnaissance General Bureau, North Korea's main intelligence agency, which is believed to have orchestrated major cyber-operations. The other targets are the Korea Mining Development Trading Corp., which is North Korea's main arms dealer, and the Korean Tangun Trading Corp., which is responsible for North Korea's defense research and development.

The individuals receiving sanctions - operating out of Russia, Iran, Syria, China, and Namibia - are not believed to have been directly involved in the hack into Sony, officials said. They earned their place on the new list as employees of the Pyongyang government or representatives of the ruling Workers' Party of Korea.

North Korea already has received more sanctions than most other nations, and the agencies and entities targeted Friday have all been punished previously. Still, analysts said the measures could inflict some new financial pain on North Korea's already isolated military establishment.

In a statement, Treasury Secretary Jack Lew said the new sanctions aim to hold North Korea responsible for "destructive and destabilizing conduct."

"Even as the FBI continues its investigation into the cyberattack against Sony Pictures Entertainment, these steps underscore that we will employ a broad set of tools to defend U.S. businesses and citizens, and to respond to attempts to undermine our values or threaten the national security of the United States," he said.

Obama had pledged to respond "proportionally" to the intrusion into Sony's network - an attack that not only exposed embarrassing corporate e-mails but wiped out computer data. The new measures fall short of the response sought by some lawmakers, including a move to redesignate North Korea as a state sponsor of terrorism.

Regardless of their impact, however, the sanctions serve as a sign of the administration's confidence that North Korea was behind the attack.

Since the earliest news reports about possible North Korean responsibility in November, there has been skepticism among independent security researchers who say that it is notoriously difficult to determine the origins of cyberattacks and that sophisticated hackers can hide their footsteps or otherwise fool investigators.

Those doubts have not receded since the FBI officially laid blame on the reclusive nation on Dec. 19, the same day that Obama threatened to retaliate for the attack and chastised Sony for canceling the planned release of the movie The Interview. The comedy's plot is built around the assassination of North Korean leader Kim Jong Un.

But administration officials insist they remain confident that North Korea, also known as the Democratic People's Republic of Korea, is behind the hack. They note that they have access to intelligence that skeptics do not.

"We stand firmly behind our call that the DPRK is behind the attacks on Sony," a senior administration official said Friday.

Officials said they believed the new measures marked the first time the United States has imposed sanctions related to a cyberattack.