The US government warns that the Democratic People’s Republic of Korea (DPRK) sends its IT workers to get freelance jobs in companies around the world to gain privileged access that is sometimes used to facilitate cyber intrusions.
Thousands of North Korean “highly skilled computer workers”, under the direction or coercion of their government, are targeting freelance jobs in organizations in wealthier countries.
They used various methods to conceal their North Korean origin in order to avoid United States and United Nations (UN) sanctions for individuals and organizations supporting the DPRK regime.
Helping North Korea’s hacking operations
A notice from the US State Department, US Treasury Department and the Federal Bureau of Investigation (FBI) provides red flags for businesses to protect against inadvertently hiring or activating workers from the DPRK.
The alert notes that while the North Koreans may not necessarily engage in cyber intrusions, “they used privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions.”
Some of them have aided North Korea’s hacking operations by providing access to infrastructure or assisting with money laundering and virtual currency transfers.
In some cases, seconded workers from the DPRK – usually located in China, Russia, Africa and Southeast Asia – have helped sell data stolen in attacks by North Korean hackers.
To gain access to the desired position, North Korean IT professionals often pretend to be telecommuters located in the United States or another non-sanctioned country. They also pose as South Korean, Chinese, Japanese or Eastern European telecommuters.
However, cyberattacks are not the main focus of the North Koreans’ contracts. They work to financially support their government’s efforts to develop weapons of mass destruction (WMD, eg, nuclear) and ballistic programs.
North Korea’s IT boost mainly focuses on the development sector, both software and hardware, of varying complexity. This includes the following:
- mobile and web apps
- motion graphics
- game programs
- artificial intelligence
- virtual and augmented reality
- facial and biometric recognition
- database development and management
To conceal their true identity and impersonate an individual from an unsanctioned country, North Korean IT workers often change their names, use virtual private network (VPN) connections, or use IP addresses from other regions.
They often use proxies on various auction platforms to get work and also buy accounts from people with no apparent DPRK affiliation in their profile, taking advantage of that person’s advertised work experience to get more easily independent gigs.
They establish a business relationship with other freelancers on the platform to access new contracts and do their work on US or European infrastructure, allowing them to circumvent security mechanisms for fraudulent use.
The use of fake (sometimes stolen) identity documents, fake signatures, dedicated devices for each bank account and services are some of the typical methods used by North Koreans to evade detection, sanctions and efforts. money laundering.
Once they have secured a freelance job with a company, they are likely to recommend other DPRK IT professionals.
Here are some clues that freelance work and payment platforms should look for as a callsign of a North Korean IT person:
- logs in to the same account from different IP addresses in a short time, especially if they are from multiple countries
- multiple developers connecting from the same IP address
- technical clues indicating the use of remote desktop sharing software or a VPN connection
- frequent use of document templates (tender, project)
- accounts receiving positive reviews from a customer with similar documentation for setting up developer accounts
- frequent money transfers, especially to banks in China, especially if they go through at least one company
Companies that employ freelance developers should look for the following signs that might indicate a DPRK IT professional:
- use digital payment services, especially if related to China
- inconsistencies in personal and professional data (spelling of name, nationality, contact details, education, etc.)
- surprisingly, portfolio websites, social media or developer profiles
- direct messages or cold calls from people claiming to be C-suite level executives from software for services or to advertise skills
- a destination address to receive work-related items that is not listed on the developer’s identity document
- ask to be paid in virtual currency
- incorrect or changing contact information (phone numbers, emails)
- ask colleagues to borrow some of their personal information to obtain other contracts
The above are just some of the indicators that a DPRK IT worker is trying to get a job with a company to support North Korea’s military development. The complete list is available in the notice published by the US Treasury Department.
Auction platforms and companies should do their due diligence, such as verifying a developer’s identity for possible signs of fraud before letting them engage in working agreements.
Supporting the activity of a DPRK IT worker carries legal consequences associated with prohibited or sanctioned behavior.