“Song facilitated an information technology (IT) worker scheme in which individuals, often DPRK nationals working from countries such as China and Russia, were recruited and provided with falsified identities and nationalities to obtain employment at unwitting companies to generate revenue for the DPRK regime,” reads the U.S. Treasury announcement. The U.S. Department of the Treasury sanctioned cyber actor Song Kum Hyok for his association with North Korea's hacking group Andariel and for facilitating IT worker schemes that generated revenue for the Pyongyang regime. Song Kum Hyok has been identified as a member of the Andariel hacking group (also known as APT45 and Silent Cholima) and has been providing fake or stolen U.S. identities to foreign IT workers seeking remote jobs at U.S. companies. Considered a sub-cluster of the Lazarus group linked to North Korea's Reconnaissance General Bureau, the Andariel state actor is focused mostly on financially-motivated operations like ransomware (Maui, Play) and cryptocurrency heists. The workers split the income with Song, who sent the funds to North Korea as part of the country's effort to finance its WMD (weapons of mass destruction) and ballistic missile programs. Between 2022 and 2023, Song Kum Hyok used stolen U.S. citizens’ information (names, social security numbers, addresses) to create for his collaborators aliases that would get them hired by U.S. companies. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 09 Jul 2025 14:45:13 +0000