The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently sanctioned Song Kum Hyok, a member of the North Korean hacking group Andariel, for his participation in a fraudulent remote IT worker scheme. Song, a 38-year-old North Korean national, allegedly used stolen U.S. identities to create aliases for foreign-hired IT workers, enabling them to secure remote jobs with U.S. companies and funnel a portion of their earnings back to North Korea. This development closely follows actions by the U.S. Department of Justice targeting the same scheme, which included arrests, financial account seizures, and the dismantling of fraudulent websites.
Beyond the individual sanction, the U.S. has also levied sanctions against a Russian national and four entities involved in a similar Russia-based IT worker scheme that facilitated the employment of North Koreans.
These sanctions represent the first official public link between the Andariel hacking group, a sub-cluster of the Lazarus Group, and the remote IT worker operation. Experts note that this connection reflects a broader and long-standing pattern of North Korean cyber activity, where individuals often transition between hacking groups and roles, with groups like Andariel pioneering the integration of IT workers into state-sponsored operations for both financial gain and operational assets.
The illicit revenue generated from these IT worker schemes, along with other cybercrimes like cryptocurrency hacks, is crucial for funding North Korea’s weapons of mass destruction and ballistic missile programs. North Korea has been responsible for a significant portion of global cryptocurrency hacks, demonstrating a persistent effort to circumvent international sanctions. Deputy Secretary of the Treasury Michael Faulkender emphasized the importance of vigilance in countering these efforts to clandestinely fund the Kim Jong Un regime.
The IT worker scheme, also known as Nickel Tapestry, Wagemole, and UNC5267, involves North Korean actors using a mix of stolen and fictitious identities to secure remote IT employment with U.S. companies.
The salaries earned are then illicitly transferred back to the North Korean regime, often through complex cryptocurrency transactions. This “insider threat” is one of many methods Pyongyang employs to generate revenue, with North Korea accounting for a substantial portion of stolen cryptocurrency globally.
While the majority of efforts to counter this threat have come from U.S. authorities, there is a growing international collaboration and awareness among other countries to address this complex transnational issue. The layered nature of these operations, involving individuals and front companies across multiple countries, underscores the critical need for joint investigations and intelligence sharing. The increased awareness and disruptive actions are seen as positive steps towards effectively countering these pervasive threats.
Reference:
