The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Song Kum Hyok, a member of the North Korean hacking group known as Andariel, for his involvement in a fraudulent IT worker scheme targeting American companies. The sanctions, announced on Tuesday, highlight a growing concern over North Korea’s use of covert methods to generate revenue amid ongoing international sanctions.
According to the Treasury, Song, a 38-year-old North Korean national residing in China, facilitated the operation by recruiting foreign IT workers who would falsely present themselves as Americans seeking remote employment. Utilizing stolen identities, including names and Social Security numbers, these workers could exploit the appearance of legitimacy while siphoning funds back to North Korea.
This announcement comes shortly after the U.S. Department of Justice (DoJ) conducted extensive operations against the North Korean IT worker scheme, resulting in one arrest and the seizure of numerous financial assets, including 29 accounts and nearly 200 computers. The crackdown underscores the serious implications of such cyber schemes and their potential to finance the North Korean regime.
In addition to sanctions on Song, OFAC imposed restrictions on a Russian national and several companies allegedly cooperating with North Korean operatives to facilitate this IT worker fraud. This collaborative effort illustrates a significant network enabling North Korean cyber activities which have become a critical source of funding for the nation, typically classified under illicit cyber operations.
The Andariel group, a known subset of the Lazarus Group, has previously been linked to numerous cybercrimes including ransomware attacks and cryptocurrency thefts. Cybersecurity experts emphasize that these illegal operations not only fund North Korea’s military ambitions but also represent a broader threat landscape that necessitates vigilant international cooperation.
Michael Barnhart, Principal i3 Insider Risk Investigator at DTEX, noted that the connection of Andariel to this fraud scheme is indicative of a larger trend where North Korean cyber operators transition between various roles and groups to maximize their illicit gains. This pattern complicates the global cybersecurity landscape and necessitates enhanced collaboration among nations.
The U.S. Treasury confirmed its commitment to leveraging all available tools to halt the North Korean regime’s attempts to bypass sanctions and fund its illicit programs through digital asset theft and cyberattacks. As the situation evolves, stakeholders in global cybersecurity are urged to remain alert to the shifting tactics employed by North Korean hackers.
Recent reports also indicate that the North Korea-aligned group known as Kimsuky is actively targeting South Korean entities with advanced malware, demonstrating the extensive reach and evolving strategies of North Korean cyber actors.