On Thursday, the U.S. Justice Department indicted two North Korean nationals and three accomplices in a scheme in which they fraudulently secured remote IT jobs with U.S. companies with the aim of generating revenue for the North Korean regime. Over the past few years, The Readable has closely monitored cyber threats from the hermit nation of North Korea, particularly focusing on the regime’s IT worker schemes. In this feature, we highlight some of the most significant stories we’ve published on the topic.
We will be back on February 3 after South Korea’s Seollal holiday. Wishing a happy new year to all our brilliant readers!
1. Two North Korean nationals and three facilitators indicted for multi-year fraudulent remote IT worker scheme
The U.S. Department of Justice has indicted five individuals, including North Korean nationals Jin Sung-Il and Pak Jin-Song, for orchestrating a scheme to generate revenue for North Korea’s regime by securing fraudulent IT jobs with U.S. companies. Over six years, the operation exploited remote work arrangements, using forged documents and fake identities to place North Korean operatives at at least 64 U.S. companies. The scheme funneled approximately $866,255 through Chinese accounts to evade sanctions and reach North Korea’s coffers. U.S.-based collaborators supported the fraud by creating “laptop farms” to enable access and deception.
The severity of this case lies in its direct support of North Korea’s regime, including its weapons programs. The FBI has identified this scheme as part of a larger pattern in which North Korean IT workers abroad use pseudonyms and forged documents to secure lucrative contracts, collectively generating hundreds of millions of dollars annually. This revenue directly funds sanctioned entities, such as North Korea’s Ministry of Defense. The defendants face charges including conspiracy, wire fraud, and violations of the International Emergency Economic Powers Act, with potential sentences of up to 20 years.
This case highlights the risks posed by North Korea’s cyber-enabled schemes that exploit global remote work systems. Through initiatives like the “DPRK RevGen: Domestic Enabler Initiative,” the Justice Department is focused on dismantling these operations, safeguarding U.S. businesses, and disrupting funding for the North Korean regime’s illicit activities.
2. Fourteen North Korean nationals indicted in multi-year IT fraud scheme
The U.S. has accused 14 North Korean nationals of defrauding American companies, violating sanctions, and extorting employers through an elaborate six-year IT fraud scheme that funneled illicit funds to North Korea’s missile programs.
The indictment, unsealed Thursday, alleges that the conspirators used fake identities to secure remote IT jobs, steal sensitive company data, and extort firms, funneling millions to the North Korean regime.
The accused individuals worked for DPRK-controlled companies Yanbian Silverstar in China and Volasys Silverstar in Russia. Both companies employed at least 130 North Korean IT workers, internally referred to as “IT Warriors.” According to the allegations, these workers collectively generated $88 million in illicit revenue for the North Korean government. READ MORE
3. New malware allows North Korea to deploy fake recruitment schemes, research says
Programming interviews for software development roles are a common practice in the tech industry. However, it is rare for these interviews to involve code designed to secretly steal sensitive data from job candidates’ computers.
“He wanted me to open up a full stack application and explain the code. I did, but I ran it in a [virtual machine] (because you should NEVER run random code that you do not understand from a suspicious party), and he was not happy,” said Richard Chang, a software engineer, posting on LinkedIn, sharing his experience with what turned out to be a fake recruiter.
“He kept giving excuses about how it needed to be run in an actual machine because of Windows … issues. The code however is malicious (yes, Javascript code can be evil),” Chang added. The “surprisingly sophisticated” code was actually designed to surreptitiously scan for logs and passwords stored on the computer, he explained. READ MORE
4. North Korean hackers target LinkedIn users with fake Chinese profile
A North Korean hacking group allegedly disguised itself as a Chinese investor on a social media platform, employing this guise to lure victims into engaging with phishing attacks.
According to the blockchain security firm SlowMist, the Lazarus group allegedly crafted a fraudulent account on LinkedIn named “Nevil Bolson.” Purporting to be an investor and entrepreneur, the user represented himself as a founding partner at the Chinese venture capital firm “Fenbushi Capital.” The imposter replicated the legitimate profile of a Fenbushi Capital partner, making minor alterations to the description section and even using an identical profile photo to enhance its appearance of legitimacy.
SlowMist’s Chief Information Security Officer emphasized that LinkedIn served as a crucial tool for the North Korean hacking group to orchestrate phishing attacks against their targets. In an email statement dated April 30, the CISO highlighted that the hackers leveraged the bogus profile to discreetly engage their victims in conversation, often by discussing investment opportunities. Once they captured the users’ interest, the hackers arranged online meetings where unsuspecting targets were duped into downloading malicious code. READ MORE
5. North Korean IT workers fund Pyongyang with earnings from illegal gambling sites, intelligence agency reveals
A group of North Korean information technology professionals has reportedly sold thousands of illegal gambling websites to South Korean criminal organizations, funneling their profits back to the North Korean government. According to the South Korean intelligence agency, over a thousand North Korean IT professionals are suspected of generating illicit revenue from overseas, particularly in China, through the sale of such online gambling platforms.
The National Intelligence Service (NIS) on Wednesday revealed details about an illegal online gambling network run by a group of North Korean IT professionals based in Dandong, China. Identified as “Gyonghung Information Technology Co., Ltd,” this group reportedly charged clients $5,000 to create illegal gambling websites and received $3,000 monthly payments for site management. Additionally, they imposed fees ranging from $2,000 to $5,000 on a monthly basis in instances of heightened website traffic. The exact earnings of this group were not disclosed by the NIS.
The North Korean operatives camouflaged their identities as Chinese IT workers, either through the assistance of Chinese intermediaries or by fabricating false identities. This involved altering their photographs on Chinese identification cards, a process facilitated by resources found on online platforms like Google or LinkedIn. They then targeted potential clients via social media channels and job recruitment sites. Portraying themselves as highly skilled foreign IT experts, the group actively pursued clientele by promising substantial profits, leveraging credentials they had deceitfully acquired from stolen resumes. READ MORE
6. North Korea escalates cyber threats, prompting security alerts for South Korea, US, and UK
On Friday, a South Korean intelligence agency, along with its international partners, issued a joint cybersecurity advisory concerning a North Korean hacking group. This announcement followed the indictment of one of the group’s members by the United States government a day earlier. The individual is accused of infiltrating U.S. hospitals and infecting them with ransomware.
In the joint statement, eight organizations were listed, including the U.S. Federal Bureau of Investigation (FBI), the U.S. Cyber National Mission Force (CNMF), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Defense Cyber Crime Center (DC3), the U.S. National Security Agency (NSA), South Korea’s National Intelligence Service (NIS), South Korea’s National Police Agency (NPA), and the United Kingdom’s National Cyber Security Centre (NCSC).
The advisory warned that a North Korean state-sponsored cyber group, known publicly as Andariel, Onyx Sleet, DarkSeoul, Silent Chollima, and Stonefly, is persistently targeting defense, aerospace, nuclear, and engineering entities. The goal of these attacks is to obtain sensitive and classified technical information and intellectual property to advance the regime’s military and nuclear programs and ambitions. READ MORE
7. North Korea reorganized its hacking groups to increase efficiency in cyber operations, Mandiant reveals
North Korean state-sponsored cyber groups, broadly referred to as the “Lazarus Group,” appear to have recently restructured themselves in an effort to accelerate internal cooperation, according to the cybersecurity firm Mandiant.
Enhanced cooperation among the “Lazarus Group” has led to several advantages for the hacking collective, such as improved resource sharing and attributional complexity, warns Google-owned Mandiant in a blog post last week.
“The DPRK’s cyber landscape has evolved into a streamlined organization, complete with shared tooling and targeting efforts,” stated Michael Barnhart, voicing the firm’s estimate of North Korea’s current cyber program. READ MORE
8. North Korean cyber threats are shifting towards social engineering, the latest research by Mandiant reveals
Washington D.C. ― mWISE ― While Pyongyang continues to finance its nuclear weapons development through cyber extortion tactics like ransomware attacks and cryptocurrency heists, security experts are sounding the alarm on a recent shift in North Korean hacking methods. The new approach doesn’t rely on technical prowess, but rather employs simple disguises to pose as ordinary individuals for intelligence gathering.
Michael Barnhart, Principal Analyst at Mandiant for Google Cloud, unveiled new research on North Korea’s evolving social engineering tactics during a session at the Mandiant Worldwide Information Security Exchange (mWISE) conference on Monday. In a session aptly named “High volume and low sophistication,” Barnhart recounted a real-world incident targeting 38 North, a publication by the Stimson Center that offers policy analysis on North Korea. Jenny Town, Director of 38 North, also joined the presentation, shedding light on the events of that particular day.
“The cyber threat group is not hacking us anymore. These days, they do not start with the hacking aspect generally. It is a lot of social engineering,” said Town. In the realm of information security, social engineering involves the artful use of deception to manipulate individuals into disclosing confidential or personal information, often leveraged for fraudulent activities. READ MORE
9. Magic Broom Operation: South Korea is blocking security holes abused by Pyongyang
Security vulnerabilities discovered in a popular authentication software application have been exploited by North Korean hacking groups despite an unusual warning issued to South Korean users four months ago, the National Intelligence Service (NIS) said on Tuesday.
In a joint operation intended to fortify Korea’s national security, the NIS has joined forces with antivirus software companies to create applications able to detect vulnerable software on users’ devices in order to delete it automatically.
Led by the National Cyber Security Center, the “Magic Broom Operation” is a joint effort between the public and private sectors. Three major antivirus firms—including AhnLab, Hauri, and ESTsecurity—will help Korean government agencies wipe out security holes in their customers’ systems by running their specialized software nationwide. READ MORE
10. The full picture of Kimsuky operation: Look at the moon, not at the finger
Kaspersky APAC Cybersecurity Weekend Conference 2022 ― Phuket ― A Korean-speaking advanced persistent threat group, Kimsuky, has built its capabilities of carrying out cyber-attacks against almost any target that it considers, a cybersecurity researcher warned Thursday.
“It takes multi-stages to carry out an APT attack, which involves spear phishing emails and Microsoft Word documents in the initial phases,” Lead Security Researcher for the Global Research and Analysis Team at Kaspersky, Seongsu Park, said at the Kaspersky’s APAC Cybersecurity Weekend Conference.
Since 2013, Kimsuky has earned its notorious reputation for primarily targeting think tanks in South Korea and updating tools quickly to hide its infrastructure. The group is allegedly sponsored by the North Korean government, according to the U.S. Cybersecurity and Infrastructure Security Agency. Kimsuky is also known as Thallium, Black Banshee, and Velvet Chollima, while the U.S. government refers to the group as Hidden Cobra. READ MORE
