The Rise of North Korean IT Actors: Freelance Market Flooded

North Korean IT Workers Infiltrate Freelance Market to Fund Nuclear Program

Introduction

In recent years, the Democratic People’s Republic of Korea (DPRK), more commonly known as North Korea, has been strategically flooding the freelance IT market with skilled workers in order to fund its nuclear weapons program. These IT workers primarily reside in Russia and China, and they employ various tactics to hide their true identities and locations when applying for freelance work with organizations around the world. The US Department of Justice (DOJ) recently seized several domains and millions of dollars associated with this operation, highlighting the prevalence of this scam.

The Scam: North Korean IT Workers and Funding for Nuclear Weapons

The DOJ’s recent announcement about the seizure of 17 domains and $1.7 million in revenues sheds light on North Korea’s use of freelance IT workers to indirectly finance its ballistic missile program. According to Special Agent in Charge Jay Greenberg of the FBI St. Louis Division, this scheme has become so widespread that organizations must exercise vigilance in verifying the individuals they hire.

The 17 domains seized by the DOJ were being used by North Korean IT workers to apply for remote work, masquerading as legitimate US-based IT services companies. In reality, these workers were employed by Chinese company Yanbian Silverstar Network Technology Co. Ltd and Russian company Volasys Silver Star. By utilizing online payment services and Chinese bank accounts, the North Korean IT workers funneled their earnings back to their home country. The annual revenue generated by these workers has amounted to millions of dollars, financing entities such as North Korea’s Ministry of Defense and other agencies connected to the country’s weapons of mass destruction (WMD) programs.

Previous Warnings and Red Flags

This is not the first time the DOJ has issued a warning about North Korean IT workers infiltrating the freelance market. In a May 2022 advisory, the US government cautioned organizations about the use of virtual private networks (VPNs), virtual private servers, third-party IP addresses, proxy accounts, and stolen identification documents to disguise the true identities of these workers. The advisory also provided guidance on identifying potential red flags when contracting freelancers.

Some of the warning signs included:

• Multiple logins into one account from various IP addresses in a short period
• IP addresses associated with different countries
• Frequent money transfers through payment platforms, especially in China
• Requests for payment in cryptocurrencies

The DOJ also urged organizations to be cautious of inconsistencies in name spellings, claimed work locations, contact information, and details about education and work history across social media profiles, professional websites, and payment profiles. An inability to work during required business hours or difficulty in reaching the worker in a timely fashion were also seen as potential warning signs.

Updated Advice for Identifying North Korean IT Workers

In light of the ongoing infiltration of North Korean IT workers, the latest DOJ advisory offers updated advice for organizations to identify potential perpetrators. Some red flags to watch out for include:

• An unwillingness or inability to appear on camera or participate in video interviews and conferences
• Inconsistencies, such as differences in time of day and location when appearing on camera
• Signs of cheating on coding tests or interviews, like excessive pausing, stalling, and eye scanning movements
• Repeated requests for prepayment and threats to release source code if payment is not made

Organizations are encouraged to take steps to minimize risk, such as requesting documentation of background checks when using third-party staffing firms and conducting due diligence checks on individuals provided by such firms for freelance work. Furthermore, organizations should be cautious about accepting background checks from unknown firms.

Challenges in Detecting Fake Identities

The detection of fake identities, particularly those sponsored by states like North Korea, presents significant challenges. Typically, background checks are limited in their ability to uncover such identities. Andrew Barrett, Vice President at Coalfire, highlights the difficulties faced by organizations when dealing with state-sponsored fake identities. The freelance market is vital for many businesses, and creating marketplaces like Fiverr attests to its growing significance. Nevertheless, the potential threats posed by these infiltrators are immensely challenging and costly to manage.

Editorial: The Importance of Internet Security

This incident serves as a stark reminder of the importance of internet security in today’s interconnected world. The infiltration of North Korean IT workers into the freelance market and their efforts to finance their nuclear weapons program demonstrate the need for heightened vigilance and due diligence when hiring remote workers.

Organizations should prioritize implementing thorough background checks and verifying the identities of individuals they engage for freelance work. This scrutiny should extend beyond simply relying on third-party staffing firms and include direct assessments of the freelancers’ backgrounds. By requesting comprehensive documentation and performing due diligence checks, organizations can minimize the risk of unknowingly supporting illicit activities.

Advice for Organizations

To protect themselves from potential scams and malicious actors, organizations should consider adopting the following measures:

1. Verify Freelancer Backgrounds:

When engaging with freelance or temporary IT workers, organizations should conduct thorough background checks. This includes requesting documentation from reliable sources and independently verifying the information provided. Direct assessments of the freelancer’s identity and work history are crucial in detecting potential red flags.

2. Exercise Caution with Third-Party Staffing Firms:

While third-party staffing firms can be valuable resources for accessing freelance talent, organizations should exercise caution and ensure that these firms have robust vetting processes in place. Request documentation of background checks conducted by the staffing firm and perform due diligence checks on both the freelancer and the staffing firm before entering into any agreements.

3. Establish Strong Security Protocols:

Organizations should prioritize internet security by implementing strong protocols, including encryption, multi-factor authentication, and regular security assessments. It is crucial to maintain up-to-date software and hardware, as well as educate employees about internet security best practices.

4. Stay Informed and Proactive:

Organizations should stay abreast of emerging threats and fraudulent activities. Regularly reviewing cybersecurity advisories from government agencies and industry experts can help organizations identify potential risks and take proactive steps to mitigate them.

Conclusion

The infiltration of North Korean IT workers into the freelance market represents a significant challenge for organizations seeking to ensure internet security. By remaining vigilant, conducting thorough background checks, and implementing robust security protocols, organizations can protect themselves from potential scams and illicit activities. Staying informed and regularly assessing security measures is crucial in combating evolving threats in the interconnected digital landscape.