Highly skilled software and mobile app developers from the Democratic People’s Republic of Korea (DPRK) are posing as “non-DPRK nationals” in hopes of landing freelance employment in an attempt to enable the regime’s malicious cyber intrusions.
That’s according to a joint advisory from the U.S. Department of State, the Department of the Treasury, and the Federal Bureau of Investigation (FBI) issued on Monday.
Targets include financial, health, social media, sports, entertainment, and lifestyle-focused companies located in North America, Europe, and East Asia, with most of the dispatched workers situated in China, Russia, Africa, and Southeast Asia.
The U.S. agencies are warning that the goal is to generate constant revenue, which will bypass international sanctions and serve the country’s economic and security priorities.
“The North Korean government withholds up to 90 percent of wages of overseas workers which generates an annual revenue to the government of hundreds of millions of dollars,” the guidance noted.
Software development, crypto platforms, graphic animation, online gambling, mobile games, dating, AI and VR apps, hardware and firmware, biometric recognition, software management, and database management are some of the areas in which DPRK IT workers can be found working.
DPRK IT workers are also known to take on projects that involve virtual currency, reflecting the country’s continued interest in the technology and its history of targeted attacks aimed at the financial sector.
They are also said to have abused the privilege of being contractors in order to support North Korean state-sponsored organizations, provide logistical support, access virtual infrastructure and facilitate the sale and transfer of stolen data.
Besides deliberately obfuscating their identities, locations, and nationality online by using VPNs and misrepresenting themselves as South Korean citizens, potential red flags indicating the involvement of DPRK IT workers are as follows –
- Multiple logins into one account from various IP addresses in a short period
- Logging into multiple accounts on the same platform from one IP address
- Logged in to accounts for one or more consecutive days
- Use of ports such as 3389 that are associated with remote desktop sharing software
- Using rogue clients accounts on freelancing work platforms to increase developer account ratings
- Multiple developers accounts receive high ratings in a very short period
- Recurring money transfers via payment platforms to China bank accounts and
- Seeking payment in virtual currency
In one instance highlighted in the advisory, North Korean developers working for an unnamed U.S. company carried out an unauthorized theft of over $50,000 in 30 small installments without the firm’s knowledge over the course of several months.
“Supporting or hiring DPRK IT workers presents many risks. These include theft of intellectual property and data as well reputational damage and legal consequences. This includes sanctions under the United States and United Nations authorities.” the U.S. State Department stated.
The advisory also comes as the department announced a $5 million reward last month for information that leads to the disruption of North Korea’s cryptocurrency theft, cyber-espionage, and other illicit nation-state activities.