Technical Reconnaissance Bureau

The Technical Reconnaissance Bureau (TRB), also known as the Fourteenth Bureau, is a North Korea-based threat actor that leads the Democratic People's Republic of Korea's (DPRK) development of offensive cyber tactics and tools. The TRB conducts mail inspection, telecommunications inspection and control, and coordinates the activities of several departments, including those affiliated with the Lazarus Group. The Lazarus Group has been associated with significant cyber-attacks, including the largest virtual currency heist to date in March 2022, where approximately $620 million was stolen from a blockchain project linked to the online game Axie Infinity. The US Department of State and the Department of Treasury have imposed sanctions on the TRB, along with other entities and individuals such as Pyongyang University of Automation, the 110th Research Center cybersecurity unit, Chinyong Information Technology Cooperation Company, and North Korean national Kim Sang Man. These sanctions were imposed due to their roles in conducting malicious cyber activities and deploying IT workers who fraudulently obtained jobs to generate revenue, including virtual currency, to support the Kim regime and its priorities. The TRB and its subordinate cyber unit, the 110th Research Center, were specifically designated for being agencies, instrumentalities, or controlled entities of the Government of North Korea or the Workers’ Party of Korea. Attribution of cyber attacks to the TRB has been complex and requires extensive research. In the past, researchers could trace Chinese attacks back to specific towns where TRB offices were located, aiding in attribution. However, current investigations into incident response and intrusion require years of research to accurately locate the TRB or its affiliations with the threat actor. As a result, the TRB remains a significant threat in the cybersecurity landscape, given its capabilities and associations with high-profile cyber-attacks.