Misconfigured cloud server leaked clues of North Korean animation scam
Outsourcers outsourced work for the BBC, Amazon, and HBO Max to the hermit kingdom
A misconfigured cloud server that used a North Korean IP address has led to the discovery that film production studios including the BBC, Amazon, and HBO Max could be inadvertently using workers from the hermit kingdom for animation projects.
The server – which according to think tank Stimson Center this week is no longer being utilized – was discovered by the author of NK Internet blog, Nick Roy, in late 2023.
The Stimson Center, together with Roy, analyzed the files that would appear every day on the server's blog, according to a post on the think tank's blog, 38 North, penned by Martyn Williams.
Many of those files included instructions for animation work and results of that day’s work, uploaded by unknown individuals. Editing comments and instructions were frequently written in Chinese, accompanied by a Korean translation.
"This suggests a go-between was responsible for relaying information between the production companies and the animators," alleged Williams.
- North Korea running malware-laden gambling websites as-a-service
- Execs in Japan busted for winning dev bids then outsourcing to North Koreans
- Superapp Gojek fine-tunes each new error message for a week. What? Why?
- Squid games: 35 security holes still unpatched in proxy after 2 years, now public
Google-owned cyber security outfit Mandiant had a look at the access logs and found most logins to the server were done over a virtual private network (VPN), but there were also three from China and one from Spain.
The researchers were able to identify a few of the projects – including season 3 of Amazon Prime’s “Invincible”, plus Cartoon Network and HBO Max's “Iyanu, Child of Wonder”. Files from BBC's Octonauts were found on the server, but appeared completed, so it is not known if work on the show was contracted out or if the files were there for other reasons.
Although documents do not explicitly name the organization, the researchers suspects that the contractor doing the outsourced animation was Pyongyang-based and state-sponsored animation company April 26 Animation Studio – also known as SEK Studio – which is subject to US sanctions.
"There is no evidence to suggest that the companies identified in the images had any knowledge that a part of their project had been subcontracted to North Korean animators," asserted Williams.
He posited that additional relay servers probably exist for North Korean orgs covertly engaging in other digital work such as software development.
North Korean citizens' efforts to earn money for the regime by posing as IT workers are well documented. The United States has issued warnings against the practice and advisories on how to protect against inadvertently supporting Kim Jong Un's regime and slush fund.
In January, 38 North warned that cloud computing service providers should take more care against unwittingly renting infrastructure to North Korea. At the time, the org was more concerned about North Korean access to AI infrastructure than hiring out its citizens as animators. ®