The U.S. Department of State, the U.S. Department of the Treasury, and the FBI have issued an advisory warning of attempts by North Korea (DPRK) information technology (IT) workers to get jobs by posing as non-North Korean nationals. The warning has legal teeth: The U.S. and United Nations have sanctions designation for individuals and entities engaged in or supporting North Korea worker-related activity and processing related financial transactions, according to the advisory.
Connection to WMDs and missile programs
The advisory said North Korean IT workers are tapping into the demand for IT skills to get freelance contracts in North America, Europe, and East Asia. And in many cases, the workers circumvent hiring restrictions by representing themselves as U.S.-based or non-North Korean teleworkers – or hide their identities and location by sub-contracting work to non-North Koreans.
Workers target job opportunities across a wide gamut of specialities including mobile applications, mobile games, building virtual currency exchange platforms and digital coins, graphic animation, artificial intelligence-related applications, hardware and firmware development, and database development and management.
The “vast majority of them are subordinate to and working on behalf of entities directly involved in DPRK’s WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors. This results in revenue…being used by the DPRK to develop its WMD and ballistic programs, in violation of U.S. and UN sanctions,” the advisory said.
“Although DPRK IT workers normally engage in non-malicious IT work, such as the development of a virtual currency exchange or a website, they have used the privileged access gained as contractors to enable DPRK’s malicious cyber intrusions. Some overseas-based DPRK IT workers have provided logistical support to DPRK-based malicious cyber actors, although the IT workers are unlikely to be involved in malicious cyber activities themselves. DPRK IT workers may share access to virtual infrastructure, facilitate sales of data stolen by DPRK cyber actors, or assist with the DPRK’s money-laundering and virtual currency transfers.”
--Guidance on the Democratic People’s Republic of Korea Information Technology Workers, Joint advisory of the U.S. Department of State, the U.S. Department of the Treasury, and the FBI, May 16, 2022
Cybercrime is how North Korea makes money
“Our recent research shows that cybercrime has become a primary means of revenue generation in North Korea,” said Kevin Bocek, VP, Ecosystem & Threat Intelligence at Venafi, adding that Advanced Persistent Threat (APT) groups are helping North Korea to work around international sanctions.
“It’s estimated that up to $2bn makes its way directly into North Korea’s weapons program each year as a result of nation state cybercrime,” Bocek said.
The method: targeting freelance IT developer contracts
North Korean IT teams operating abroad commonly get freelance jobs through online platforms, where companies advertise contracts for freelance IT developers. Also, in some instances, these rogue IT teams find local, non-DPRK nationals to serve as the nominal heads of companies that are actually controlled by North Koreans, according to the advisory.
These IT workers also use virtual currency exchanges and trading platforms to manage digital payments they receive for contract work as well as to launder and move funds.
The means: hiding identities
“DPRK IT workers deliberately obfuscate their identities, locations, and nationality online, often using non-Korean names as aliases,” the advisory said. They use virtual private networks (VPNs), virtual private servers (VPSs), or third-country IP addresses to conceal their location and reduce the likelihood of scrutiny of their DPRK location or relationships, according to the advisory.
The workers will also exploit the anonymity of telework arrangements and use proxies for account creation and maintenance. They favor the use of communications through text-based chat instead of video calls.
Venafi’s take: be proactive
“Defending against North Korean nation-state actors is difficult, particularly when these threats are now coming from both outside and inside organizations,” said Bocek. " Organizations must now be proactive, not reactive in their security defenses. It’s clear that recruitment processes have to be robust to prevent hiring a rogue freelancer," he said.
Bocek continued. “Ultimately, there’s no telling what these rogue freelancers are after. The targets that spring to mind are data theft or potentially funds but we’ve seen in the past that North Korean APT groups have made use of stolen code signing identities in devastating nation state attacks. The problem is that there’s currently not enough awareness and security around the importance of machine identities. This lack of focus allows North Korean cybercriminals to take advantage of a serious blindspot in software supply chain attacks.
“For companies looking to protect against the impact these threat actors could have if armed with stolen code signing certificates, machine identity management remains the best defense.
“Businesses must have visibility over their environments in order to spot changes and react fast, both from a human identity and a machine identity perspective. Without the effective management of both machines and humans, we’ll continue to see APT groups thrive, and high-profile nation-state attacks will continue to affect businesses and government. The automation of machine identity management can help to take this element of security out of already overstretched security teams hands.”