U.S. Seizes Money, Domains Involved In North Korea IT Worker Scam
U.S. law enforcement agencies over the past year seized 17 web domains and almost $1.5 million as part of an ongoing effort to shut down a North Korean program to plant IT workers from the country in organizations around the world to steal money and information.
The U.S. Justice Department (DOJ) this week announced the seizures and updated their guidance for businesses about North Korea’s efforts, which – like much of the state-sponsored cyberthreat activities coming out of the isolated country – are designed to help fund its ballistic and nuclear weapon programs.
“Employers need to be cautious about who they are hiring and who they are allowing to access their IT systems,” U.S. Attorney Sayler A. Fleming said in a statement. “You may be helping to fund North Korea’s weapons program or allowing hackers to steal your data or extort you down the line.”
North Korea, one of the top exporters of cybercrime, over the past few years sent thousands of IT workers out of the country – primarily to China and Russia – with the goal of convincing businesses in the United States and elsewhere to hire them on a remote freelance basis.
Not a Simple Plan
The complex scheme includes the IT workers using false names and email, social media platforms, payment methods, and online job site accounts, according to the DOJ. In addition, they leveraged false websites, proxy computer in the United States and other countries, and third parties – witting and unwitting.
The agency also said the IT workers generated millions of dollars every year that were sent back to North Korea, including to the country’s Ministry of Defense and other organizations involved in the country’s weapons of mass destruction (WMD) programs, which have been prohibited by the United Nations.
The IT workers at times also hacked into the networks of their unwitting employers to steal information and keep access open for future compromise and extortions efforts.
A Warning About Hiring
The U.S. State and Treasury departments and the FBI in May 2022 issued an advisory warning U.S. businesses about unintentionally hiring these North Korean IT workers, noting North Korea’s years-long focus on training citizens in mathematics and science and that an IT worker can earn up to $300,000 a year and that a team of such workers can collectively bring in more than $3 million.
They work in everything from mobile apps and AI-related software to hardware and firmware development, virtual and augmented reality, facial recognition and biometric software, and database development and management.
Some North Korean IT workers designed the 17 website domains that the United States seized. The domains were designed to look like legitimate U.S.-based IT services companies, which helped the workers hied their identities and locations when applying online for IT freelance jobs.
Those North Korean workers actually worked for Yanbian Silverstar Network Technology, a Chinese company, and Volasys Silver Start, a Russian company. Both were sanctioned by Treasury in 2018. The IT workers funneled the money they earned from their fraudulent IT work to North Korea through online payment services and Chinese bank accounts.
Working with South Korea
The DOJ also noted it has been working with South Korea since 2022 the collect and disseminate information about North Korea’s fraudulent IT worker efforts, including thousands of indicators like email addresses, to U.S.-based online freelance work and payment service platforms used by the North Korean IT workers.
The DOJ, FBI, and other agencies over the past hear have filed affidavits in their push to seize both the money and the domains.
In addition, the FBI’s updated guidance to businesses focused in part on additional “red flag indicators” that could mean a company is working with a fake IT worker from North Korea, including an unwillingness to participate in video meetings or interviews, indications of cheating on code tests or when answering employment questions or during interviews, repeated requests for prepayments, and the lack of concern about taking a drug test.
Some steps organizations can take to prevent inadvertently hiring a North Korean IT worker include requesting documentation about background-check procedures from third-parties or conducting their own check, ask for a voided check or certified documents from the worker’s financial institution, and prevent remote desktop protocol (RDP) from being used to keep the worker from easily moving through the company’s networks.
In a report earlier this month, researchers with Google-owned Mandiant included the IT worker scheme in a list of ever-evolving North Korean-sponsored cyberthreat groups
“These workers acquire freelance contracts from clients around the world and sometimes pretend to be based in the U.S. or other countries to secure employment,” Mandiant researchers wrote in the report. “Although they mainly engage in legitimate IT work, they have misused their access to enable malicious cyber intrusions carried out by North Korea.”
