Good Luck Not Accidentally Hiring a North Korean Scammer
Credit to Author: Lily Hay Newman| Date: Mon, 30 May 2022 11:00:00 +0000
To revist this article, visit My Profile, then View saved stories.
To revist this article, visit My Profile, then View saved stories.
For more than a decade, North Korean hackers and digital scammers have run wild, pilfering hundreds of millions of dollars to raise funds for the Hermit Kingdom and often leaving chaos in their wake. But while the United States and other governments regularly call out North Korea’s digital espionage operations and issue indictments against their hackers, it has proved more difficult to bring charges for rogue theft and profiteering. North Korea has been under extensive sanctions by the US and other governments for years, but efforts to address the regime’s financial crimes have met with obstacles.
Last week, the US Treasury, State Department, and Federal Bureau of Investigation jointly issued a 16-page alert warning businesses to guard against a particular scam in which North Korean IT workers apply for freelance contracts—often with wealthy North American, European, and East Asian firms—to generate revenue for their country. The workers pose as IT workers of other nationalities, pretending to be remote workers from South Korea, China, Japan, Eastern Europe, or the US. The alert notes that there are thousands of North Korean IT workers taking on such contracts. Some conduct their work from North Korea itself and others work overseas, mainly out of China and Russia, with small contingents in Southeast Asia and Africa. In some cases, the North Korean scammers themselves sub-contract with other more legitimate workers to enhance their credibility.
“DPRK IT workers can individually earn more than USD 300,000 a year in some cases, and teams of IT workers can collectively earn more than USD 3 million annually,” the alert warns. “DPRK IT workers provide a critical stream of revenue that helps fund the DPRK regime’s highest economic and security priorities, such as its weapons development program.”
When US businesses unknowingly contract with North Koreans, they are violating government sanctions and face legal risk. But the scams are challenging to deal with, since workers typically complete the assignments to earn their compensation. Without vigilance, businesses could be unaware that anything shady is going on.
The alert emphasizes that while businesses need to be aware of the issue so they can comply with sanctions, North Korean IT contractors also sometimes use their access to plant malware and facilitate espionage and intellectual property theft.
“There have been a lot of cases where we’re seeing North Korean actors interviewing for jobs and using that to try to ultimately deploy malware or get into an environment,” says Adam Meyers, vice president of intelligence at the cybersecurity firm CrowdStrike. “The reason this is important is a lot of people don’t consider this threat or write it off as, ‘Oh, North Korea, they’re crazy. They’re not sophisticated.’ And if you’re talking to an actual person, it feels like there’s not going to be a cyber threat in that, but these are human-enabled operations that the North Koreans have gotten really good at, so bringing awareness to this issue is really important.”
North Korean IT workers have thorough training, making detection more difficult, and the alert notes that they have developed software, websites, and other platforms for a variety of sectors, including health and fitness, social networking, sports, entertainment, and lifestyle, along with cryptocurrency and decentralized finance. The workers have the expertise to do IT support and database management, build mobile and web apps, develop cryptocurrency platforms, work in artificial intelligence and virtual reality or augmented reality, and develop facial recognition and biometric authentication tools.
The alert lists a number of “red flag indicators” of a North Korean IT worker scam. Many overlap with general best practices for avoiding online scams, like monitoring for unusual logins or IP addresses and contractors who use suspicious digital accounts to collect payments or require payment in cryptocurrency, submit formulaic job applications and documents rather than personalized ones, and have perfect reviews on hiring websites that were all written within a short time span.
Incident responders note that while the US government alert offers a helpful level of detail and transparency, it’s still difficult for potential victims to respond meaningfully.
“The issue is always, whose responsibility is it to protect against these attacks? That’s on individuals and businesses, which often sorely lack the ability to ingest this type of information and make actionable improvements,” says David Kennedy, CEO of the corporate incident response consultancy TrustedSec. “Large companies that have dedicated security teams can use these warnings, but I do really feel that there needs to be a shift toward security for all and helping smaller organizations with defensive positions.”
The alert and other recent government disclosures about North Korean hacking and financial crimes do help raise awareness and likely indicate that the activity is a real and urgent threat. But as Jake Williams, director of cyber threat intelligence at the security firm Scythe puts it, “They have been what I believe to be intentionally vague in recommendations. The more specific they get to businesses, the easier it is for businesses to say that they followed the letter of the instructions and hence have no liability.”