North Korean IT workers are secretly infiltrating US companies using fake identities and forged credentials, according to SentinelLabs.
The cyber security organization has uncovered a network of companies, which it believes are backed by China, supplying remote workers under false identities.
The workers conduct convincing video interviews under false identities. They use VPNs to mask their true locations, making it appear as if they're working domestically when they're actually in North Korea or neighboring countries. Once inside a company, SentinelLabs said they may attempt to install malware or facilitate access for other malicious actors, significantly compromising corporate networks.
"North Korea operates a global network of IT workers, both as individuals and under front companies, to evade sanctions and generate revenue for the regime," SentinelOne researchers Tom Hegel and Dakota Cary wrote in an advisory.
"These workers are highly skilled in areas like software development, mobile applications, blockchain, and cryptocurrency technologies. By posing as professionals from other countries using fake identities and forged credentials, they secure remote jobs and freelance contracts with businesses worldwide."
The front companies, based in China, Russia, Southeast Asia, and Africa, are used to mask the workers' true origins and manage payments. They have been able to launder earnings through online payment services and Chinese bank accounts. The payments are often routed through cryptocurrencies or shadow banking systems. And the payments ultimately go to support North Korean state programs - including weapons development, which circumvents international sanctions.
Some companies, including China-based Yanbian Silverstar Network Technology and Russia-based Volasys Silver Star, were years ago disrupted or sanctioned by the US Treasury Department for facilitating fraudulent IT operations.
The report examines four newly identified examples of North Korean IT worker-front companies. Independent Lab has been active since at least February. Its website, says SentinelLabs, is in line with what you'd expect of a legitimate software development outsourcing business – indeed, it was copied from Kitrum, a custom software firm headquartered in the US.
Shenyang Tonywang Technology has been going a little longer and bills itself as a top software consulting company with bespoke solutions, including DevOps and cloud consulting. In this case, the website format and content were copied from Urolime, a legitimate DevOps consulting firm.
Tony WKJ advertises itself as a leading software development company that specializes in Agile IT development, and HopanaTech claims to be a custom software development company.
The four domains belonging to the front companies have now been seized by the US government, but organizations are being warned to be on the alert for similar schemes.
SentinelLab said they should implement robust vetting processes, including careful scrutiny of potential contractors and suppliers. They should also look for discrepancies between a candidate's online profiles and their resume, the use of multiple conflicting profiles, or frequent changes in contact information. There may also be a reluctance to appear on camera, inconsistencies in appearance or background during video calls, and signs of cheating during technical assessments.
Employers should also look for resume discrepancies, such as an Asian education combined with employment records that predominantly feature US-based positions and addresses linked to freight forwarding services.
Meanwhile, other red flags are financial anomalies such as requests for prepayment, frequent changes in payment methods, or aggressive behavior when such requests are denied.
"These schemes present significant risks to employers, including potential legal violations, reputational damage, and insider threats such as intellectual property theft or malware implantation," said the firm.
"Addressing these risks requires heightened awareness and stringent vetting processes to limit North Korea's ability to exploit global tech markets."
