Beware of North Korean IT workers with fake credentials, US government warns
Companies that hire freelance IT teleworkers could inadvertently be employing North Koreans who have been dispatched to generate revenue for the country's authoritarian regime or gain access to corporate networks, the U.S. government said Monday.
The workers "take advantage of existing demands for specific IT skills, such as software and mobile application development," according to the alert from the FBI, the Treasury Department and the State Department. In many cases, they used forged documents or stolen identities to "represent themselves as U.S.-based and/or non-North Korean teleworkers."
The IT workers might not engage in any malicious cyber-activity while doing their jobs, but "they have used the privileged access gained as contractors to enable [North Korea's] malicious cyber intrusions," the alert said.
The federal agencies said the freelancers often send money back to North Korea, contributing to its weapons programs, which have earned broad sanctions from the U.S. and United Nations.
The alert does not mention any specific cases involving cyber-activity by North Korea — also known as the Democratic People's Republic of Korea (DPRK) — but it provides 16 pages of information about their tactics for getting hired, as well as their interests and methods.
"Some overseas-based DPRK IT workers have provided logistical support to DPRK-based malicious cyber actors. ... DPRK IT workers may share access to virtual infrastructure, facilitate uses of data stolen by DPRK cyber actors, or assist with the DPRK's money-laundering and virtual currency transfers," the agencies said.
The alert said operators of digital payment platforms should be particularly wary of the phenomenon. The long list of potential "red flags" for activity by North Korean freelancers includes "multiple logins into one account from various IP addresses in a relatively short period of time," and frequent use of "document templates for things such as bidding documents and project communication methods."
Recent U.S. government actions against alleged North Korean cyber-operations include an indictment of a cryptocurrency "mixer" allegedly used to launder funds from a hack linked to the regime, and a warning that North Korea is deeply interested in stealing crypto from exchanges.
Cybersecurity researchers have recently tied North Korea to specific ransomware families and a hack on an unnamed engineering firm.
Joe Warminsky
is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. He previously he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.