North Korean IT worker scams lead to FBI seizure of fake domains, exposes new tactics
North Korean IT worker scams are still proliferating across the private sector causing millions in losses, even as the FBI is revealed to have seized multiple DRPK IT Worker front company domains on Thursday, all reportedly created by nation-state loyalists to support the nefarious worker schemes.
The Sentinel Labs research findings and Microsoft threat intelligence released Friday expose new details into the Democratic People’s Republic of Korea’s (DPRK) 10-year-long clandestine operation – all aimed at stealing money and trade secrets from Western companies to bolster the communist regime – oftentimes with the help of China, Russia, and other like-minded nations.
From front companies, Faceswap, and impersonating IT recruiters on LinkedIn, to supply chain attacks, crypto heists, and stealing aerospace defense trade secrets, North Korean IT worker scams are showing no signs of slowing down, despite law enforcement and the private sector meticulously disclosing their inner workings.
ADVERTISEMENT
Here is the round-up of the biggest North Korean worker scams hitting the headlines this week. We start with the obvious FBI seizure of four domains directly associated with DPRK IT Worker front companies, originally identified by Sentinal Labs.
DPKR IT front companies impersonate US tech firms
The fraudulent websites were first identified by Sentinel threat hunters based on their unique characteristics, with one site active as late as May of this year before the US government took them down.
The fake company sites – including the many more said to be still up and running – are created to mimic the online brands of legitimate tech organizations, often posing as IT consulting or software development outsourcing firms.
Sometimes the sites are exact replicas; logo, web design, format, and all. In other instances, more effort is put forth into the creation, adding additional elements, such as stolen ‘Company Reviews’ and ‘About Us’ sections, sourced from a patchwork of legitimate websites.
The real company’s websites being impersonated included, US software firm Kitrum faked as Independent Lab LLC; Indian-based Urolime Technologies faked as Shenyang Tonywang Technology LT; ArohaTech USA faked as Tony WKJ LLC; and iTechArt in Belarus faked as HopanaTech.
ADVERTISEMENT
Some of the websites are said to center around the ‘Contact Us’ form, “enticing visitors to engage in communications, providing no contact details on the website itself,” the Sentinel Labs advisory stated.
Additionally, all the seized domains were found registered through Name Cheap, based in Arizona, with two sites hosted by InterServer in New Jersey, and the others hosted by companies in India and Asia.
The researchers said they believe “with high confidence” the four domains are directly connected to a “larger set of organizations based in China.”
Other nations known as home bases for North Korean front companies include China, Russia, Southeast Asia, and Africa – all playing “a key role in masking the workers’ true origins and managing payments,” they said.
Microsoft talks tactics at CYBERWARCON
Besides the FBI bust-up featured by Sentinel One, Microsoft also took time on Friday to divulge a compilation of the latest North Korean IT worker scams at the CYBERWARCON 2024 conference taking place in Virginia.
Microsoft presented a bevy of new DRPK scam tactics at the one-day conference, which is aimed at identifying and exploring threats among government, military, academia, media, and the private sector.
Microsoft says North Korea’s 10 years in the making “computer network exploitation capability” has enabled the communist government to “steal billions of dollars in cryptocurrency, as well as target organizations associated with satellites and weapons systems,” via multiple zero-day vulnerabilities.
ADVERTISEMENT
Besides generating funds to support the nation’s weapons program, Microsoft found DRPK IT workers’ threats to US national security further included stealing information about defense-related technology, weapons systems, sanctions information, and policy-related decisions before they occur.
Labeling North Korean It workers as a triple threat, Microsoft points out that often the workers must use facilitators to first create an account on a freelance job website, which involves setting up a portfolio to show “examples” of previous work.
This may explain the hundreds of fake profiles and portfolios for North Korean IT workers observed on developer platforms like GitHub and social media sites such as Linkedin, Microsoft said.
Last month, Microsoft researchers discovered a public repository chock full of North Korean IT worker files. The cache was said to contain job-related files including:
- Resumes, headshots, and email accounts of IT workers
- LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts
- Wallet information and suspected payments made to facilitators
- Playbooks on how to carry out identity theft and how to navigate freelancer websites and bid on jobs without getting flagged
- VPS and VPN accounts along with specific VPS IP addresses
The researchers also discovered the workers would use an AI “Faceswap” tool to edit headshots to look more professional, and then reuse the images on multiple resumes or profiles to apply for jobs.
The bad actors would also use Faceswap to “move their picture over to documents that they have stolen from victims,” Microsoft said.
The IT workers were also found experimenting with experimenting with other AI technologies to refine their attack techniques, including voice-changing software, which could be used to to trick interviewers into thinking they are communicating with someone other than a North Korean IT worker.
Although there is no evidence of this to date, Microsoft says “this could allow the North Korean IT workers to do interviews directly and not have to rely on facilitators obtaining work for them by standing in on interviews or selling account access to them.”
Posting a summary of its findings in a Microsoft security blog, the tech giant said tracking the North Korean threat actors is challenging due to the vast number of parties and activities involved in the operations, which can include creating accounts on various platforms, accepting payments, and moving money to North Korean IT worker-controlled accounts.
What’s the end goal for North Korea?
The mission for the North Korean workers is to “secure remote jobs and freelance contracts with businesses worldwide,” providing a pathway for funds and/or trade secrets (earned or stolen) to be laundered back to DPRK, thereby evading sanctions.
Although the workers often use “fake identities and forged credentials,” many of them are highly skilled in areas like “software development, mobile applications, blockchain, and cryptocurrency technologies,” Sentinel noted, making it even harder to distinguish between real and fake applicants.
In October, research by SecureWorks revealed another IT worker scam – perpetuated by a North Korean-linked group known as Nickel Tapestry – operating multiple ”laptop farms” of these so-called IT workers.
The “workers” would apply for developer positions in Western companies using “stolen or falsified identities,” with some taking on multiple personalities for the scam by using ‘Splitcam’ live-streaming software – which allows the user to create an AI clone of themselves – to carry out video calls, hiding their identity and location.
Once hired, the workers would steal the company’s trade secrets and hold them for ransom for profit, a new tactic not seen before.
