FBI warns of North Korean cyberspies posing as foreign IT workers

Looking for tech talent? Kim Jong-un's friendly freelancers, at your service

Pay close attention to that resume before offering that work contract.

The FBI, in a joint advisory with the US government Departments of State and Treasury, has warned that North Korea's cyberspies are posing as non-North-Korean IT workers to bag Western jobs to advance Kim Jong-un's nefarious pursuits.

In guidance [PDF] issued this week, the Feds warned that these techies often use fake IDs and other documents to pose as non-North-Korean nationals to gain freelance employment in North America, Europe, and east Asia. Additionally, North Korean IT workers may accept foreign contracts and then outsource those projects to non-North-Korean folks.

Once Kim's crew are hired by private-sector firms, they'll either use their newfound corporate network access for cybercrime — cryptocurrency theft, ransomware, and cyberespionage are some of the Supreme Leader's favorites. Or, they'll simply send their paychecks to North Korea to fund that government's other hobbies, such as developing weapons of mass destruction and ballistic missiles.

From the alert:

An overseas DPRK IT worker earns at least ten times more than a conventional North Korean laborer working in a factory or on a construction project overseas. DPRK IT workers can individually earn more than $300,000 a year in some cases, and teams of IT workers can collectively earn more than $3 million annually. A significant percentage of their gross earnings supports DPRK regime priorities, including its WMD program.

It's worth noting that all of these activities are subject to US and United Nations sanctions. Anyone who hires or supports North Korea government-backed workers, including processing financial transactions, may face legal consequences themselves.

According to the alert: "These IT workers take advantage of existing demands for specific IT skills, such as software and mobile application development, to obtain freelance employment contracts from clients around the world, including in North America, Europe, and East Asia." 

The freelancers may represent themselves as US-based or non-North Korean teleworkers. Additionally, they may use VPNs or third-country IP addresses, or even subcontract their work to non-North Koreans to "further obfuscate their identities," it warned.

The security advisory includes two dozen "red-flag indicators" that businesses employing freelance developers, and organizations that provide freelance employment and payment systems, should pay close attention to. It also lists nearly as many potential mitigation measures. 

These include verifying all documents and websites submitted, conducting video interviews and pre-employment background checks, avoiding payments in virtual currency, verifying banking information, and being on the lookout for small-scale, unauthorized transactions.

In one such case, we're told, North-Korean developers employed by a US firm charged the company's payment account and stole more than $50,000 in small installments over the course of several months. 

"The US company was not aware the developers were North Korean or of the ongoing theft activity due to the slight amounts," the alert noted.

This joint security advisory follows several other alerts issued and actions taken by Uncle Sam that attempt to end Kim Jong-un's illegal money-making endeavors.

In April, the Feds offered a reward up to $5 million for information that helps disrupt North Korea's cryptocurrency theft, cyber-espionage, and other illicit state-backed activities. Around the same time, a US court sentenced an American citizen to more than five years behind bars, and fined him $100,000, for providing cryptocurrency and blockchain technical advice to North Korea in breach of sanctions. 

Also in April, the Feds attributed the $620 million Axie Infinity heist to North Korea's Lazarus Group, and fingered the gang's getaway wallet address. 

Earlier this month, the Treasury sanctioned cryptocurrency mixer Blender for its role in helping Lazarus Group launder stolen digital assets. ®

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading

Biting the hand that feeds IT © 1998–2022