The US government has warned that North Korean IT workers are attempting to gain employment with businesses for nefarious purposes.
These are primarily to generate revenue for the Democratic People’s Republic of Korea (DPRK) government as a way of circumventing sanctions and conducting malicious cyber intrusions.
The advisory, issued by the US state and treasury departments and the FBI, claimed these workers are taking advantage of the shift to remote work to help obfuscate their identities to gain freelance employment contracts from organizations based in regions like the US, Europe and East Asia. This includes using VPNs to appear as though they are connecting to the internet from inconspicuous locations.
It is believed North Korea has recognized the growing demand for IT skills, such as software and mobile application development, in these regions. Once employed, these workers provide a “critical stream” of revenue to help fund the North Korean state’s activities. The advisory stated: “All DPRK IT workers earn money to support North Korean leader Kim Jong Un’s regime. The vast majority of them are subordinate to and working on behalf of entities directly involved in the DPRK’s UN-prohibited WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors.”
This follows the DPRK placing years of focus on education and training in IT-related subjects for its citizens.
In addition, while North Korean IT workers typically engage in non-malicious IT work, the US government believes they “have used the privilege access gained as subcontractors to enable DPRK’s malicious cyber intrusions.”
It also noted that some overseas-based DPRK IT workers had provided logistical support to DPRK-based malicious cyber actors. “DPRK IT workers may share access to virtual infrastructure, facilitate sales of data stolen by DPRK cyber actors or assist with the DPRK’s money laundering and virtual currency transfers,” the advisory added.
The guidance also outlined red flag indicators of DPRK IT worker activity that organizations should look out for on their platforms. These include multiple logins into one account from various IP addresses in a short period of time, developers logging into their accounts continuously for one or more days at a time and router port or other technical configurations associated with the use of remote desktop sharing software.
The government also warned that hiring North Korean IT workers could have reputational and legal consequences, including sanctions under both US and United Nations authorities.
Commenting on the story, Kevin Bocek, VP security strategy and threat intelligence, Venafi, said: “Defending against North Korean nation-state actors is difficult, particularly when these threats are now coming from both outside and inside organizations. They are often well funded, highly sophisticated, and – as we’re seeing with this FBI warning – capable of thinking outside the box to find new ways to attack networks, as we’re now seeing with rogue freelancers hacking from within.”
He added: “Organizations must now be proactive, not reactive in their security defenses. It’s clear that recruitment processes have to be robust to prevent hiring a rogue freelancer.”
Last month, a United Nations expert on North Korea said the country is funding its banned nuclear and missile programs with cyber activity.