A new advisory from three U.S. federal agencies is warning businesses of North Korean hackers pretending to be your friendly neighborhood IT professional looking for contract work. Imagine Tinker Tailor Soldier Spy but instead everyone’s on the internet, and suddenly it doesn’t seem like an international spy thriller and more like the all-too common story of people getting catfished by data-thirsty keyboard warriors.
Reuters first reported on a new document released Monday by the U.S. treasury and state departments along with the FBI. It advises public businesses of the potential threat of the Democratic People’s Republic of Korea corps of fake IT workers who pose as non-North Korean nationals looking for long-distance work.
Feds warned that companies may even be on the hook for breaking U.S. comprehensive sanctions laws for North Korea. Feds cited 2018 sanctions against The China-based tech firm Yanbian Silverstar Network Technology, claiming that it was actually managed by North Koreans.
The document says that while these workers, “normally engage in IT work distinct from malicious cyber activity,” they can still get access to systems that make later hacks easier for the DPRK. Feds said some of these workers are dispatched overseas to places like China and Russia, as well as other locations in Africa and Southeast Asia. These workers often pretend to be from other countries and sometimes obfuscate their identities even more by hiring out through subcontractors.
Other operators remain inside North Korea, and the document states there are “credible reports” some workers are subject to human trafficking and forced labor. Feds claim that in many cases, 90% of the money these workers earn goes to support leader Kim Jong-un’s regime, specifically working with agencies that support the country’s ballistic missile programs.
The U.S. government-funded nonprofit Radio Free Asia has previously reported about North Koreans working abroad, noting there were approximately 50,000 to 60,000 North Korean overseas laborers when the report was published in 2016. RFA reporters identified DPRK-backed clinics in countries like Tanzania with more-than-questionable conditions sending millions of dollars back to support the regime. Other articles identified North Korean workers taking on low-paid, often dangerous work while having most of their paychecks confiscated by the DPRK.
The U.S. agencies said these fake IT workers operate in a multitude of technical and coding fields across the face of various business and financial sectors, including animation, app and video game coding, face recognition software, and database development. Although these operators are often involved in “non-malicious” IT work, feds wrote that they can also use their privileged access to allow North Korea’s malware teams to infiltrate private or even public networks.
The advisory states these workers often advertise their skills via social media, message boards, and other online platforms where workers can post their skills and bid for jobs, referring to sites like Upwork or Fiverr, though the advisory did not give specifics of which platforms were most common.
Alongside spotting any inconsistencies in a contractor’s background, the advisory offers a few red flags for those looking for contract IT workers. This includes temp workers displaying they had multiple logins into one account from various IP addresses in a short period of time, or if developers are logging into multiple accounts from the same IP address. Feds also suggest companies conduct video interviews to verify a freelancer’s identity.