Governance & Risk Management , Remote Workforce

Warnings Mount Over Fake North Korean IT Workers

German Domestic Intelligence Agency Says German Companies Have Fallen for Scam
Warnings Mount Over Fake North Korean IT Workers
North Korean IT workers used artificial intelligence to manipulate the original photo (left) into a supposed portrait (right). (Image:KnowBe4)

The German federal domestic intelligence agency is adding to warnings over North Korean IT workers obtaining remote work in Western tech companies.

See Also: The Forrester Wave™: Operational Technology Security Solutions, Q2 2024

The Federal Office for the Protection of the Constitution in a Tuesday advisory acknowledged that German companies have fallen for the scam, in which North Korean IT workers use fake identities and VPNs to conceal their true nature.

The world's most secretive and repressive regime looks for multiple ways to circumvent strict economic sanctions in order to funnel hard currency into a moribund economy and to pay for development of weapons of mass destruction. It famously steals money directly from cryptocurrency platforms and financial institutions but its methods include using overseas embassies to run illicit businesses, illegal coal exports - and getting Pyongyang-trained coders on the company payroll (see: Breach Roundup: How to Spot North Korean IT Workers).

U.S. federal prosecutors this year have racked up multiple criminal indictments against individuals accused of aiding the Hermit Kingdom workers by running laptop farms inside the United States (see: US Feds Arrest Man for North Korean Remote IT Worker Scam).

North Korean IT workers mainly look for work on freelancing platforms such as Fiverr, Upwork and Freelancer.com, the BfV said. They mostly claim to come from South Korea or Japan, although they might also claim to come from Eastern Europe. Sometimes they remember to use a fake name that correlates to their supposed home country. They often are not currently located in North Korea itself, but in China or Russia, with experts also tracking some pockets of expat workers in Africa and Southeast Asia.

Other telltale signs: A preference for payment through cryptocurrency or digital payment intermediaries such as PayPal or Wise, an aversion to video and telephone calls, and offering the possibility to communicate in Korean, even if they pretend not to be from the Korean Peninsula.

Should an IT worker claim to have studied at an Asian university but lists only employment in the United States, Korea or Canada, that's also a good sign the worker is really North Korean, the BfV wrote.

They use fictitious or stolen identities developed using artificial intelligence and also rely on social media platforms to bulk up their legitimacy. The workers themselves may be difficult to work with. "Often, threats are made to publish parts of the company's internal source code if demands are not met," the BfV warned.

The BfV warnings follow a September alert from Google Mandiant warning that many North Korean coders work multiple jobs at once. "One American facilitator working with the IT workers compromised more than 60 identities of U.S. persons, impacted more than 300 U.S. companies, and resulted in at least $6.8 million of revenue," Mandiant said.

One main objective of the IT workers is to make illicit salary withdrawals, as well as litter companies with backdoors for future financial exploitation. Cyberespionage is an ever-present danger, although "this hasn't been definitively observed," Mandiant said.

Security firm KnowBe4 disclosed in July that it unknowingly hired a North Korean software engineer for its internal artificial intelligence team. The hacker used an AI-enhanced picture and stolen U.S.-based identity to clear four video conference interviews with the company.

After gaining access to KnowBe4's corporate network, the fake worker began to manipulate session history files, and transfer potentially harmful files and used a Raspberry Pi file to download malware into KnowBe4's network.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.