The U.S. government is warning that the Democratic People’s Republic of Korea (DPRK) is dispatching its IT workers to get freelance jobs at companies across the world to obtain privileged access that is sometimes used to facilitate cyber intrusions.
Thousands of North Korean “highly skilled IT workers,” at the direction of or forced by their government are targeting freelance jobs at organizations in wealthier nations.
They used various methods to hide their North Korean origin to avoid sanctions from the U.S. and United Nations (UN) for individuals and organizations supporting the DPRK regime.
Helping North Korea’s hacking operations
An advisory from the U.S. Department of State, the U.S. Department of the Treasury, and the Federal Bureau of Investigation (FBI) provides red flag indicators for companies to protect against hiring or unwittingly enabling DPRK workers.
The alert notes that while North Korean don’t necessarily engage in cyber intrusions, “they have used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions.”
Some of them have helped North Korea’s hacking operations by providing access to infrastructure or assisting with money laundering and transfers of virtual currency.
In some cases, DPRK’s dispatched wage earners – typically located in China, Russia, Africa, and Southeast Asia, have aided with selling data stolen in attacks from North Korean hackers.
To get into the desired position, the North Korea’s IT workers often pretend to be teleworkers located in the U.S. or other non-sanctioned country. They also pretend to be South Korean, Chinese, Japanese, or Eastern European teleworkers.
However, cyberattacks are not the main purpose behind North Koreans getting contracts. They work to sustain financially their government’s efforts to develop weapons of mass destruction (WMD, e.g. nuclear) and ballistic programs.
“The North Korean government withholds up to 90 percent of wages of overseas workers which generates an annual revenue to the government of hundreds of millions of dollars” – the U.S. Government
Evading identification
North Korea’s IT helping hand is mainly focused on the development sector, both software and hardware, of various complexity. This includes the following:
- mobile and web apps
- graphic animation
- gambling programs
- artificial intelligence
- virtual and augmented reality
- facial and biometric recognition
- database development and management
To obfuscate their true identity and pass as an individual from a non-sanctioned country, North Korean IT workers often change their names, use virtual private network (VPN) connections, or use IP addresses from other regions.
They often use proxies on various bidding platforms to get work and also buy accounts from individuals with no apparent DPRK affiliation in their profile, thus taking advantage of that person’s advertised work experience to obtain freelance gigs easier.
They establish a business relationship with other freelance workers on the platform to get access to new contracts and do their job over U.S. or European infrastructure, allowing them to slip past security mechanisms for fraudulent use.
“In establishing accounts with the aid of other freelance workers, DPRK IT workers may claim to be third-country nationals who need U.S. or other Western identification documents and freelance platform accounts to earn more money” – the U.S. Government
Using fake ID documents (sometimes stolen), forged signatures, dedicated devices for each account and banking services, are part of the typical methods for North Koreans to evade detection, sanctions, and money-laundering efforts.
Once they get a freelance job with a company, they are likely to recommend other DPRK IT workers.
Red flags
Some clues that freelance work and payment platforms should look for as indicative of a North Korean IT worker include the following:
- logins to the same account from different IP addresses in a short time, especially if they’re from multiple countries
- multiple developers logging in from the same IP address
- technical clues indicating the use of remote desktop sharing software or a VPN connection
- frequent use of template documents (bidding, project)
- accounts receiving positive ratings from one client with similar documentation for setting up developer accounts
- frequent money transfers particularly to banks in China, especially if routed through at least one company
Companies employing freelance developers should look for the following signs that could indicate a DPRK IT worker:
- using digital payment services, especially if linked to China
- inconsistencies in personal and professional details (name spelling, nationality, contact data, education, etc.)
- surprisingly portfolio websites, social media, or developer profiles
- direct messages or cold calls from persons claiming to be C-suite level execs from software for services or to advertise skills
- a destination address for receiving work-related items that is not on the developer’s ID document
- asking to be paid in virtual currency
- incorrect or changing contact information (phone numbers, emails)
- asking co-workers to borrow some of their personal information to obtain other contracts
The above are just some of the indicators that a DPRK IT worker is attempting to get a job from a company to support North Korea’s military development. The full list is available in the advisory published by the U.S. Department of Treasury.
Bidding platforms and companies should do their due diligence such as verifying a developer’s identity for potential signs of fraud before letting them engage in work agreements.
Supporting a DPRK IT worker’s activity comes with legal consequences associated with prohibited or sanctioned behavior.
Source: www.bleepingcomputer.com