North Korean developers pose as US freelancers and aid DRPK govt hackers.
The U.S. government warns that the developers from Democratic People’s Republic of Korea (DPRK) are trying to get freelance jobs at organizations in wealthier nations to obtain privileged access in an attempt to enable their malicious cyber intrusions.
According to a joint advisory from the U.S. Department of State, the Department of the Treasury, and the Federal Bureau of Investigation (FBI), highly skilled software and mobile app developers from the DPRK, at the direction of or forced by their government are posing as “non-DPRK nationals” in hopes of getting freelance employment.
Their targets include financial, health, social media, sports, entertainment, and lifestyle-focused companies located in North America, Europe, and East Asia, with most of the dispatched workers situated in China, Russia, Africa, and Southeast Asia.
The U.S. agencies warn that their aim is to generate a constant stream of revenue to avoid international sanctions imposed on the nation and help serve its economic and security priorities, including the development of nuclear and ballistic missiles.
The North Korean government withholds up to 90 percent of wages of overseas workers which generates an annual revenue to the government of hundreds of millions of dollars.
Some of the areas where DPRK IT workers were found to be working include software development, crypto platforms, graphic animation, online gambling, mobile games, dating, AI, and VR apps, hardware and firmware development, biometric recognition software and database management.
DPRK IT workers also take on projects that involve virtual currency. Additionally, they are said to abuse the privileged access obtained as contractors to provide logistical support to North Korean state-sponsored groups, share access to virtual infrastructure, facilitate the sale of stolen data, and assist in money laundering and virtual currency transfers.
To obfuscate their true identity and pose as an individual from a non-sanctioned country, North Korean IT workers often change their names, use virtual private network (VPN) connections, or use IP addresses from other regions.
Some clues that freelance work and payment platforms should look for as indicative of a North Korean IT worker include the following:
- Multiple logins into one account from different IP addresses in a short time.
- Logging into multiple accounts on the same platform from one IP address.
- Logged into accounts continuously for one or more days at a time.
- Use of ports such as 3389 that are associated with remote desktop sharing software.
- Using rogue client accounts on freelance work platforms to boost developer account ratings.
- Multiple developer accounts receiving high ratings from one client account in a short time.
- Frequent money transfers particularly to China-based bank accounts, and
Seeking payment in virtual currency.
In one instance it was reported that North Korean developers working for a U.S. company carried out an unauthorized theft of over $50,000 in 30 small installments without the firm’s knowledge over the course of several months.
The U.S. State Department added that hiring or supporting the activities of DPRK IT workers poses many risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences, including sanctions under both United States and United Nations authorities.