US Targets Key Threat Actors Connected to North Korea’s Remote IT Worker Operation

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) today sanctioned Song Kum Hyok, a North Korean cyber actor linked to the Democratic People’s Republic of Korea (DPRK) Reconnaissance General Bureau’s hacking group Andariel, along with a Russia-based network of individuals and entities facilitating illicit IT worker schemes that generate revenue for the Kim regime’s weapons programs.

Song Kum Hyok’s Identity Theft Operation

Song Kum Hyok, operating from North Korea, orchestrated a sophisticated scheme to deploy foreign-hired IT workers using stolen American identities to secure remote employment with U.S. companies.

During 2022 and 2023, Song systematically used U.S. persons’ personal information, including names, social security numbers, and addresses, to create false aliases for hired foreign workers.

These workers then assumed American identities to apply for remote positions with unwitting U.S. companies, with Song planning to split the income generated from these fraudulent employment arrangements.

The designation falls under Executive Order 13694, as amended by E.O. 14306, targeting individuals responsible for misappropriating funds and economic resources through cyber-enabled means that threaten U.S. national security and economic stability.

Song’s activities represent a direct extension of the DPRK’s broader strategy to circumvent international sanctions through digital deception and cyber operations.

Russia-Based IT Worker Network Exposed

OFAC simultaneously targeted a Russia-based operation led by Gayk Asatryan, a Russian national who used his companies to employ North Korean IT workers.

In mid-2024, Asatryan signed a significant 10-year contract with Korea Songkwang Trading General Corporation to dispatch up to 30 DPRK IT workers to work in Russia through his company, Asatryan Limited Liability Company.

Additionally, he contracted with Korea Saenal Trading Corporation to deploy 50 DPRK IT workers through another entity, Fortuna Limited Liability Company.

The Treasury Department estimates that North Korea maintains thousands of highly skilled IT workers globally, primarily stationed in China and Russia, who generate substantial revenue, contributing to the regime’s weapons of mass destruction and ballistic missile programs.

These workers deliberately conceal their identities and locations, using false personas, proxy accounts, and forged documentation to target employers in wealthier countries across various sectors, including business, healthcare, fitness, social networking, and virtual currency platforms.

Enhanced Enforcement Measures

Deputy Secretary of the Treasury Michael Faulkender emphasized the action’s significance in countering North Korea’s persistent efforts to fund its weapons programs clandestinely.

The sanctions build upon previous designations, including the 2019 targeting of the Lazarus Group, Bluenoroff, and Andariel cyber groups, all of which are subordinate to the RGB and responsible for numerous high-value virtual currency heists designed to offset the impact of international sanctions.

The designations result in the blocking of all property and interests in property of the sanctioned individuals and entities within U.S. jurisdiction, with violations potentially resulting in civil or criminal penalties for both U.S. and foreign persons.