Skip to main content
banner image
venafi logo

U.S. Warns Against Unintentionally Hiring North Korean IT Workers

U.S. Warns Against Unintentionally Hiring North Korean IT Workers

May 17, 2022 | Brooke Crothers

The U.S. Department of State, the U.S. Department of the Treasury, and the FBI have issued an advisory warning of attempts by North Korea (DPRK) information technology (IT) workers to get jobs by posing as non-North Korean nationals. The warning has legal teeth: The U.S. and United Nations have sanctions designation for individuals and entities engaged in or supporting North Korea worker-related activity and processing related financial transactions, according to the advisory.

Get Fast, Easy, and Secure Enterprise-Grade Code Signing With Venafi!
Connection to WMDs and missile programs

The advisory said North Korean IT workers are tapping into the demand for IT skills to get freelance contracts in North America, Europe, and East Asia. And in many cases, the workers circumvent hiring restrictions by representing themselves as U.S.-based or non-North Korean teleworkers – or hide their identities and location by sub-contracting work to non-North Koreans.  

Workers target job opportunities across a wide gamut of specialities including mobile applications, mobile games, building virtual currency exchange platforms and digital coins, graphic animation, artificial intelligence-related applications, hardware and firmware development, and database development and management.

The “vast majority of them are subordinate to and working on behalf of entities directly involved in DPRK’s WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors. This results in revenue…being used by the DPRK to develop its WMD and ballistic programs, in violation of U.S. and UN sanctions,” the advisory said.

“Although DPRK IT workers normally engage in non-malicious IT work, such as the development of a virtual currency exchange or a website, they have used the privileged access gained as contractors to enable DPRK’s malicious cyber intrusions. Some overseas-based DPRK IT workers have provided logistical support to DPRK-based malicious cyber actors, although the IT workers are unlikely to be involved in malicious cyber activities themselves. DPRK IT workers may share access to virtual infrastructure, facilitate sales of data stolen by DPRK cyber actors, or assist with the DPRK’s money-laundering and virtual currency transfers.”

--Guidance on the Democratic People’s Republic of Korea Information Technology Workers, Joint advisory of the U.S. Department of State, the U.S. Department of the Treasury, and the FBI, May 16, 2022

Cybercrime is how North Korea makes money

“Our recent research shows that cybercrime has become a primary means of revenue generation in North Korea,” said Kevin Bocek, VP, Ecosystem & Threat Intelligence at Venafi, adding that Advanced Persistent Threat (APT) groups are helping North Korea to work around international sanctions.

“It’s estimated that up to $2bn makes its way directly into North Korea’s weapons program each year as a result of nation state cybercrime,” Bocek said.

The method: targeting freelance IT developer contracts

North Korean IT teams operating abroad commonly get freelance jobs through online platforms, where companies advertise contracts for freelance IT developers. Also, in some instances, these rogue IT teams find local, non-DPRK nationals to serve as the nominal heads of companies that are actually controlled by North Koreans, according to the advisory.

These IT workers also use virtual currency exchanges and trading platforms to manage digital payments they receive for contract work as well as to launder and move funds.

The means: hiding identities

“DPRK IT workers deliberately obfuscate their identities, locations, and nationality online, often using non-Korean names as aliases,” the advisory said. They use virtual private networks (VPNs), virtual private servers (VPSs), or third-country IP addresses to conceal their location and reduce the likelihood of scrutiny of their DPRK location or relationships, according to the advisory.

The workers will also exploit the anonymity of telework arrangements and use proxies for account creation and maintenance. They favor the use of communications through text-based chat instead of video calls.

Venafi’s take: be proactive

“Defending against North Korean nation-state actors is difficult, particularly when these threats are now coming from both outside and inside organizations,” said Bocek. " Organizations must now be proactive, not reactive in their security defenses. It’s clear that recruitment processes have to be robust to prevent hiring a rogue freelancer," he said.

Bocek continued. “Ultimately, there’s no telling what these rogue freelancers are after. The targets that spring to mind are data theft or potentially funds but we’ve seen in the past that North Korean APT groups have made use of stolen code signing identities in devastating nation state attacks. The problem is that there’s currently not enough awareness and security around the importance of machine identities. This lack of focus allows North Korean cybercriminals to take advantage of a serious blindspot in software supply chain attacks.

For companies looking to protect against the impact these threat actors could have if armed with stolen code signing certificates, machine identity management remains the best defense.

“Businesses must have visibility over their environments in order to spot changes and react fast, both from a human identity and a machine identity perspective. Without the effective management of both machines and humans, we’ll continue to see APT groups thrive, and high-profile nation-state attacks will continue to affect businesses and government. The automation of machine identity management can help to take this element of security out of already overstretched security teams hands.”

Related Posts

Like this blog? We think you will love this.
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more