Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
North Korea Taps IT Contract Workers to Fund Weapons Program
Thousands of IT Workers Defrauded US Firms to Earn Hundreds of Millions of DollarsThousands of North Korean IT workers hid their identities to win hundreds of millions of dollars' worth of IT contractual work from overseas companies and used the money to fund the country's weapons development program, U.S. and South Korean agencies said. Some of the money helped develop the regime's nuclear weapons.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The agencies, in a public advisory on Wednesday, warned that North Korean IT workers hid their country of origin and any associations with North Korea to subvert international sanctions against Kim Jong Un's regime. Many of the workers set up fake job recruitment agencies and job-seeking websites to contact overseas organizations and solicit the work.
The U.S. Department of Justice said Tuesday that it has seized 17 websites used by North Korean IT workers to defraud US and foreign businesses. Thousands of such workers relocated to foreign countries, primarily China and Russia, and used pseudonymous email, social media, payment platforms, online job site accounts, fake websites and proxy computers to fool potential employers.
The 17 fraudulent sites impersonated domains of legitimate, U.S.-based IT services companies, but the North Korean IT workers actually worked for China-based Yanbian Silverstar Network Technology Co. Ltd. and a Russia-based company called Volasys Silver Star.
According to South Korea's foreign ministry, many of North Korea's IT personnel belong to organizations designated as targets of sanctions in the UN Security Council's sanctions resolution against North Korea, such as the Ministry of Military Industry and the Ministry of Defense. "A significant portion of the funds earned by North Korean IT personnel are paid to these organizations to support North Korea's nuclear and missile development," the ministry said.
The ministry advised domestic organizations to strengthen identity verification processes for job seekers on job recruitment platforms.
"The act of ordering work and paying for North Korean IT personnel not only harms the reputation of companies, but in some cases may be punished under relevant domestic laws such as the Inter-Korean Exchange and Cooperation Act, or may violate UN Security Council resolutions on sanctions against North Korea," it said.
The joint advisory warned that North Korean IT workers also tried to access source code for sensitive projects and applications and steal intellectual property. Organizations should watch for suspicious behavior by IT workers, who typically avoid direct contact with employers for fear of betraying their lack of real work experience.
The IT workers avoid appearing on camera or attending meetings, tend to cheat on coding tests or stall on interview questions, frequently change their home addresses, and make repeated requests for prepayment, displaying anger or aggression when a request is denied. In some cases, the fraudsters also threatened to release proprietary source codes if additional payments were not made.
According to the agencies, these workers claim they have university degrees from China, Japan, Singapore, Malaysia or other Asian countries and work experiences almost exclusively in the U.S., South Korea and Canada. Although they claim to be from another country, they almost always prefer Korean as their primary language.
U.S. and South Korean intelligence agencies released their first public advisory about the North Korean IT workers in May 2022, warning that the fraudsters had taken advantage of the demand for specific IT skills, especially in software and mobile application development, to obtain employment contracts in North America, Europe and East Asia (see: North Korean IT Workers Using US Salaries to Fund Nukes).
The U.S. Treasury department in April also sanctioned Sim Hyon Sop, a North Korean citizen who acted on behalf of Korea Kwangson Banking Corp. to earn tens of millions of dollars in virtual currency since September 2021 using North Korean workers unknowingly hired by U.S.-based companies for IT development work.
"When the IT workers obtain employment, they are known to request to be paid in virtual currency and send the majority of their salaries through a complicated laundering pattern to funnel these illegally obtained funds back to the DPRK," Treasury officials said.