FBI: North Korea's tech workers are posing as freelance developers, helping hackers

US government warns local businesses that North Korean IT workers are posing as US contractors to gain remote work.
Written by Liam Tung, Contributing Writer

Skilled software and mobile app developers from North Korea are posing as US-based remote workers to land contract work as developers in US and European tech and crypto firms. 

The warning comes in a new joint advisory from The US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation (FBI) outlining the role North Korean IT workers play in raising revenue for North Korea, which contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions.

Hackers working for North Korea – officially known as the Democratic People's Republic of Korea (DPRK) – have gained notoriety for sophisticated hacks on cryptocurrency exchanges during the past five years. In 2021 alone they stole over $400 million worth of cryptocurrency for the DPRK

SEE: Just in time? Bosses are finally waking up to the cybersecurity threat

The FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and Treasury last month warned that North Korea's Lazarus Group, or APT 38, was targeting exchanges in the blockchain and cryptocurrency industry using spear-phishing campaigns and malware. Treasury also in April linked Lazarus to the $600 million heist in March from the Ronin blockchain network underpinning the play-to-earn game Axie Finity.  

However, the skilled North Korean IT workers play another function for DPRK, using their access as sub-contracted developers within US and European contracting firms to enable DPRK-sponsored hacking. 

The US government has outlined "red flag" indicators that firms might be hiring North Korean freelance developers and tips to "protect against inadvertently hiring or facilitating the operations of DPRK IT workers." 

"The DPRK dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions," the advisory states. 

DPRK IT workers are primarily located in the People's Republic of China (PRC) and Russia, but some are located in Africa and Southeast Asia, the US says. 

"The vast majority of [DPRK IT workers] are subordinate to and working on behalf of entities directly involved in the DPRK's UN-prohibited WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors. This results in revenue generated by these DPRK IT workers being used by the DPRK to develop its WMD and ballistic programs, in violation of US and UN sanctions." 

Rather than engaging directly in malicious cyber activity, DPRK IT workers use privileged access within contractor roles to provide logistical support to DPRK hackers by sharing access to virtual infrastructure, facilitating sales of stolen data, and assisting in DPRK's money laundering and virtual currency transfers.

"Although DPRK IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK's malicious cyber intrusions. Additionally, there are likely instances where workers are subjected to forced labor," the warning notes.

A tight labor market coupled with high demand for software developers in the US and Europe are working in favor of North Korean software developers, who can earn at least ten times more than a conventional North Korean laborer working in a factory or on a construction project overseas. 

The list of roles that DPRK tech workers specialize in reflect the hottest areas of tech in the West and globally, including mobile and web apps, building crypto exchange platforms and digital coins, mobile games, online gambling, AI-related applications, hardware and firmware development, VR and AR programming, facial and biometric recognition software, and database development. 

The DPRK workers often take on projects that involve virtual currency in categories spanning business, health and fitness, social networking, sports, entertainment, and lifestyle, according to the advisory.

SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breaches

Unsurprisingly, DPRK IT workers are using VPNs and third-country IP addresses to conceal their internet connections and avoid violating terms of service of online platforms they use. They're also using proxy accounts to bid for work, and might use a dedicated device for banking services to evade anti-money laundering measures. And they're using forged and stolen identity documents to hide their identity.   

Red flags include: multiple logins into one account from various IP addresses linked to different countries in a short time; developers logging into multiple accounts on the same platform from one IP address; developers being logged into accounts continuously for one or more days at a time; router ports such as 3389 and other configurations associated with the use of remote desktop-sharing software; multiple developer accounts receiving high ratings from one client account in a short period; extensive budding on projects and a low number of accepted project bids; and frequent money transfers through payment platforms, especially to China-based bank accounts.       

The advisory notes that DPRK IT workers employed by a US firm fraudulently charged its payment account $50,000 in 30 small installments over a matter of months. 

The US agencies recommend contracting firms conduct video interviews with applicants to verify their identity and to reject low-quality images as verification of identity. 

Editorial standards