North Korean IT Workers Using US Salaries to Fund NukesScheme Results in Firms Unknowingly Financing Sanctioned Weapons Programs
North Korean information technology workers have been attempting to obtain employment in public and private sectors in the United States to fund their home country's weapons of mass destruction and ballistic missiles programs, according to an advisory from U.S. federal agencies.
"There are reputational risks and the potential for legal consequences, including sanctions designation under U.S. and United Nations authorities, for individuals and entities engaged in or supporting [Democratic People's Republic of Korea] IT worker-related activity and processing related financial transactions," the U.S. Department of State, the U.S. Department of the Treasury and the FBI say in an advisory.
The advisory says that North Korean IT workers take advantage of the existing demand for specific IT skills, especially in software and mobile application development, and try to obtain freelance employment contracts from clients around the world, including in North America, Europe and East Asia.
While the U.S. government's warning may seem unlikely at first glance, it combines a mix of cyber skills and old-school tradecraft with a motive that makes sense for the DPRK, says Sam Curry, visiting fellow at the National Security Institute and a former RSA executive.
"Normally, we think of cybercrime being for-profit and nation-states using cyber for political or geopolitical gains. North Korea uses cyber for geopolitical purposes but given the prevalence of economic sanctions, the main motivation is economic," he tells Information Security Media Group.
"North Korea needs money that is liquid and in that world, cryptocurrencies are the lifeblood of their financially starved regime. It therefore makes sense that the tried-and-true tools of espionage - in this case, moles and spies infiltrating companies and organizations - get used. This is a reminder to security officers, HR departments, hiring managers and executives to really do the background checks right," Curry says.
Hiding Their Identities
In some cases, the advisory says, the IT workers represented themselves as U.S.-based or as non-North Korean teleworkers, and they may further obfuscate their identities and location by subcontracting work to non-North Koreans.
The advisory says that a DPRK IT worker may claim to be a third-country national who needs the U.S. or other Western identification documents and freelance platform accounts to earn more money.
"Hiding their real locations allows DPRK IT workers to violate terms of service agreements for the online platforms and services they use for their activities. As part of their tradecraft, DPRK IT workers may also use single, dedicated devices for each of their accounts, especially for banking services, to evade detection by fraud prevention, sanctions compliance and anti-money laundering measures," the advisory says.
Separately, while DPRK IT workers "normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK's malicious cyber intrusions," according to the advisory.
It does not specify any particular incidents to support this statement, but it offers details on how DPRK IT workers operate and provides red flag indicators for companies hiring freelance developers.
"DPRK IT workers engage other non-North Korean freelance workers on platforms to propose collaboration on development projects. A DPRK IT worker takes advantage of these business relationships to gain access to new contracts and virtual currency accounts used to conduct the IT work over U.S. or European virtual infrastructure, bypassing security measures intended to prevent fraudulent use," the advisory says.
In addition, the advisory says that these IT workers routinely use counterfeit, altered or falsified documents, including identification documents and forged signatures. DPRK IT workers commonly procure forged documents such as driver's licenses, Social Security cards, passports, national identification cards, resident foreigner cards, high school and university diplomas, work visas, and credit card, bank and utility statements.
Significant Support for WMD Programs
The advisory states that these IT workers provide a critical stream of revenue that helps fund the DPRK regime's highest economic and security priorities, such as its weapons development program.
"DPRK leader Kim Jong Un recognizes the importance of IT workers as a significant source of foreign currency and revenue, and supports their operations. There are thousands of DPRK IT workers both dispatched overseas and located within the DPRK, generating revenue that is remitted back to the North Korean government," the advisory says.
It says most of these IT workers are located in the People's Republic of China and Russia, with a smaller number in Africa and Southeast Asia, and that they rely on overseas contacts to obtain freelance jobs for themselves and to interface more directly with customers.
In addition, the advisory says that a vast majority of the DPRK IT workers are subordinate to and working on behalf of entities directly involved in the DPRK's UN-prohibited WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors.
"This results in revenue generated by these DPRK IT workers being used by the DPRK to develop its WMD and ballistic programs, in violation of U.S. and UN sanctions. Many of these entities have been designated for sanctions by the UN and United States," the advisory says.
An overseas DPRK IT worker earns 10 times more than a conventional North Korean laborer working in a factory or on a construction project overseas, it says.
DPRK IT workers can individually earn more than $300,000 a year in some cases, according to the advisory, and teams of IT workers can sometime collectively earn more than $3 million annually. A significant percentage of their gross earnings supports DPRK regime priorities, including its WMD program, the advisory says.
It says that DPRK IT companies and their workers normally engage in a wide range of IT development work of varying complexity and difficulty, such as mobile applications and web-based applications, building virtual currency exchange platforms and digital coins, general IT support, graphic animation, online gambling programs, mobile games, dating applications, artificial intelligence-related applications, hardware and firmware development, virtual reality and augmented reality programming, facial and biometric recognition software and database development and management.
Zero Trust Can Help
To ensure that companies don't unknowingly fund the DPRK's mission, Curry recommends reference checks and verification of resume claims. "These might be skipped or done weakly in many organizations, but the basics can catch spies. At the very least, it will force the DPRK to spend more money on the program and affect its bottom line," he says.
Taking a zero trust security approach can help ensure that no implicit trust is granted for any entity within an IT environment.
"This is one more reason why every organization must follow zero trust security and follow the principle of least privilege - to ensure every user has access only to the systems they are trusted with and that the identity is verified on every access," says Teresa Rothaar, security and compliance analyst at cybersecurity firm Keeper Security. "This may sound like common sense, but as an example, companies still provide every user with VPN logins that give them access to every system in the network, including visibility into servers, desktop, printers, routers, traffic and file shares."
Along with zero trust, privilege access management solutions that allow logging of every action and ensure auditability of every system's security are key, she adds.