Treasury sanctions key player behind North Korean IT worker scheme

A senior official within North Korea’s Reconnaissance General Bureau (RGB) was sanctioned by the United States on Tuesday for his role in facilitating the IT worker scheme in China and Russia. 

Song Kum Hyok, a cyber actor associated with North Korea’s Andariel hacking group, helped provide North Korean IT workers with stolen U.S. identities that were used to obtain employment, according to the Treasury Department’s Office of Foreign Assets Control (OFAC). 

The office also sanctioned Russian national Gayk Asatryan and four companies involved in a Russia-based IT worker scheme that has generated significant revenue for North Korea.

Based in North Korea, Song allegedly used U.S. names, Social Security numbers and addresses to create aliases for workers that had been hired at U.S. companies in 2022 and 2023. The workers used the information to pose as U.S. citizens while working remotely. 

Song allegedly provided identities for North Korean IT workers based in China and Russia. U.S. officials said in addition to gaining millions of dollars in illicit revenue through salaries, the North Korean workers “have been known to introduce malware into company networks for additional exploitation.”

The U.S. and other nations say the IT worker scheme is one of the primary ways North Korea funds its internationally sanctioned programs for nuclear missiles and other weapons.

“Treasury remains committed to using all available tools to disrupt the Kim regime’s efforts to circumvent sanctions through its digital asset theft, attempted impersonation of Americans, and malicious cyber-attacks,” said Deputy Treasury Secretary Michael Faulkender.

U.S. officials accused Asatryan of using his Russian companies to employ North Korean IT workers, signing a 10-year contract with Korea Songkwang Trading General Corporation that allowed 30 workers to come to Russia to pose as U.S. workers. 

Asatryan signed another contract with Korea Saenal Trading Corporation that allowed a batch of 50 workers from North Korea to work in Russia. 

The Treasury Department sanctioned both North Korean companies and Asatryan’s Russian companies that signed contracts with them. 

The sanctions come one week after the Justice Department unsealed indictments charging several North Koreans and at least two U.S. citizens for their role in the IT worker campaign. 

U.S. agencies said they believe thousands of highly-skilled IT workers are stationed in China, Russia and Southeast Asia — gaining remote employment in high-paying roles that generates millions for North Korea’s military.