U.S. officials have warned businesses against hiring IT staff from North Korea. Rogue freelances are taking advantage of remote work opportunities to hide their true identities and earn money for North Korea’s government, according to a new advisory issued by the Federal Bureau of Investigation (FBI) and State and Treasury departments.
This effort is intended to bypass U.S. and U.N. sanctions, as well as bring in financial resources for North Korea’s nuclear weapons and ballistic missile programs, according to Reuters. “There are thousands of DPRK IT workers both dispatched overseas and located within the DPRK, generating revenue that is remitted back to the North Korean government,” the advisory stated.
“These IT workers take advantage of existing demands for specific IT skills, such as software and mobile application development, to obtain freelance employment contracts from clients around the world, including in North America, Europe, and East Asia,” the advisory said.
Many North Korean workers, mostly based in China, Russia and some out of Africa and Southeast Asia, have pretended to be from South Korea, Japan or other Asian countries, the advisory said.
In addition, the advisory laid out a number of red flags employers should watch for, including a refusal to participate in video calls and requests to receive payments in virtual currency, as much of the money they earn is taken by the North Korean government.
Employers hiring and paying such workers may expose themselves to legal consequences for sanctions violations, as well as insider threat risks, including cyberattacks, data exfiltration or theft, espionage, and data or intellectual property theft.
Recent research by Venafi shows that cybercrime has become a primary means of revenue generation in North Korea, and APT groups are helping the country work outside of international sanctions, funding political and military gains. In fact, it’s estimated that up to $2 billion makes its way directly into North Korea’s weapons program each year as a result of nation-state cybercrime.
Kevin Bocek, VP, Security Strategy and Threat Intelligence, Venafi, says that while there’s no telling what rogue freelancers are after, the targets that come to mind are data theft or potentially funds. “But we’ve seen in the past that North Korean APT groups have used stolen code-signing identities in devastating nation-state attacks, so they’re likely to be on the table as well,” Bocek explains. “The problem is that there’s currently not enough awareness and security around the importance of machine identities. This lack of focus allows North Korean cybercriminals to take advantage of a serious blind spot in software supply chain attacks.”
Bocek suggests that organizations must now be proactive, not reactive, in their security defenses. The recruiting process, such as vetting and background checks, has to be robust to prevent hiring a rogue freelancer.
For companies looking to protect against the impact these threat actors could have if armed with stolen code signing certificates, machine identity management remains the best defense. “Businesses must have visibility over their environments in order to spot changes and react fast, both from a human identity and a machine identity perspective,” Bocek says. Without the effective management of both machines and humans, we’ll continue to see APT groups thrive, and high-profile nation-state attacks will continue to affect businesses and government. The automation of machine identity management can help to take this element of security out of already overstretched security teams' hands.”