FBI warns of North Koreans posing as foreign IT workers • The Register

Pay close attention to this CV before offering this employment contract.

The FBI, in a joint report with the US State and Treasury Departments, has warned that North Korea’s cyberspies are posing as non-North Korean IT workers to snag Western jobs to further Kim Jong-un’s nefarious activities.

With the instructions [PDF] Issued this week, the Fed warned that these techies often use fake IDs and other documents to pose as non-North Korean nationals to obtain freelance work in North America, Europe and East Asia. In addition, North Korean IT staff can accept foreign contracts and then outsource these projects to non-North Korean staff.

Once Kim’s crew is hired by private companies, they will either use their newfound corporate network access for cybercrime – cryptocurrency theft, ransomware, and cyberespionage are some of the Supreme Leader’s favorites. Or they simply send their paychecks to North Korea to fund that government’s other hobbies, such as the development of weapons of mass destruction and ballistic missiles.

From the warning:

An IT worker in the DPRK abroad earns at least 10 times more than a traditional North Korean worker working in a factory or on a construction project abroad. DPRK IT staff can individually earn more than US$300,000 per year in some cases, and IT staff teams can collectively earn more than US$3 million per year. A significant percentage of its gross income supports the priorities of the DPRK regime, including its weapons of mass destruction program.

It is worth noting that all these activities are subject to US and United Nations sanctions. Anyone who hires or assists workers sponsored by the North Korean government, including conducting financial transactions, may face legal action themselves.

According to the alert, “These IT professionals leverage existing demand for specific IT skills, such as software and mobile application development, to secure freelance work contracts from clients around the world, including in North America, Europe and East Asia.”

The freelancers can pose as US-based or non-North Korean teleworkers. In addition, they may use VPNs or third-country IP addresses, or even outsource their work to non-North Koreans to “further obfuscate their identities,” it warned.

The Security Advisory contains two dozen cautionary statements that companies that employ freelance developers and organizations that provide freelance employment and payment systems should be particularly aware of. It also lists nearly as many potential mitigation actions.

This includes reviewing all documents and websites submitted, conducting video interviews and background checks prior to employment, avoiding payments in virtual currency, verifying banking information, and searching for small-scale unauthorized transactions.

In one such case, we are told, North Korean developers employed by a US company debited the company’s payment account and stole more than $50,000 in small installments over several months.

“The US company was unaware that the developers were North Koreans due to the small amounts involved or the ongoing theft activities,” the warning said.

This joint safety recommendation follows several other warnings and actions by Uncle Sam in an attempt to end Kim Jong-un’s illegal money-making.

In April, the Fed offered a reward of up to $5 million for information helping disrupt North Korea’s cryptocurrency theft, cyberespionage, and other illegal state-sponsored activities. Around the same time, a US court sentenced an American citizen to more than five years in prison and a $100,000 fine for providing cryptocurrency and blockchain-related technical advice to North Korea in violation of sanctions.

Also in April, the Fed attributed the $620 million Axie Infinity heist to North Korea’s Lazarus group and fingered the escape address of the gang’s wallet.

Earlier this month, the Treasury Department sanctioned cryptocurrency mixer Blender for its role in helping the Lazarus Group launder stolen digital assets. ®

Comments are closed.