Microsoft shuts down 3,000 email accounts created by North Korean IT workers

Microsoft said it suspended 3,000 Outlook and Hotmail email accounts it believed were created by North Korean IT workers as part of a larger effort to help companies address the costly scheme. 

The tech giant said it has spent years monitoring North Korea’s campaign to get its citizens hired in IT roles at U.S. companies and recently saw changes in how the campaign operates. North Korean IT workers now use artificial intelligence heavily to “replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional.” 

“We’ve also observed that they’ve been utilizing voice-changing software,” Microsoft explained in a blog post that coincided with two Justice Department indictments charging several North Koreans and at least two U.S. citizens for their role in the IT worker campaign. 

In October, Microsoft’s  Threat intelligence unit found a public repository containing actual and AI-enhanced images of suspected North Korean IT workers. 

The repository also contained resumes, email accounts used by the workers, guidelines on how to do their work using VPN accounts, playbooks on how to perpetrate identity theft, manuals on how to obtain jobs on freelancer websites and information on payments made to facilitators. 

“Based on our review of the repository mentioned previously, North Korean IT workers appear to conduct identity theft and then use AI tools like Faceswap to move their pictures over to the stolen employment and identity documents,” Microsoft researchers said. 

“The attackers also use these AI tools to take pictures of the workers and move them to more professional looking settings. The workers then use these AI-generated pictures on one or more resumes or profiles when applying for jobs.”

The people behind the campaign are experimenting heavily with voice-changing software and other AI technology — backing up assessments made by several other cybersecurity companies that are monitoring the schemes. 

Microsoft warned that while it has not seen the IT workers use AI voice and video products, the tactic “could allow the North Korean IT workers to do interviews directly and no longer rely on facilitators standing in for them on interviews or selling them account access.”

The Justice Department indictments unveiled earlier this week further publicized the vast scale of North Korea’s scheme. The FBI conducted searches in 16 different states while targeting 29 laptop farms — where U.S. residents take in company laptops and install software allowing for them to be remotely accessed by North Koreans. 

Multiple U.S. citizen co-conspirators were identified in court documents, including one active duty member of the U.S. military who holds a security clearance.

To illustrate the scale of the financial benefits North Korea is achieving through the scheme, prominent cryptocurrency investigator Zachary Wolk, also known as ZachXBT, said a recent investigation found more than $16.5 million in cryptocurrency payments sent to accounts controlled by known North Korean IT workers since January 1, averaging out to nearly $3 million per month. 

“To put this in perspective, payments range from $3K-8K per month meaning they have infiltrated 345 jobs on the low end or 920 jobs on the high end,” he wrote in a social media post.