North Korean IT worker scams lead to FBI seizure of fake domains, expose new tactics


North Korean IT worker scams are still proliferating across the private sector causing billions in losses, even as the FBI is revealed to have seized multiple DRPK IT Worker front company domains on Thursday, all reportedly created by nation-state loyalists to support the nefarious schemes.

Threat intelligence released by Sentinel Labs and Microsoft on Friday expose new details into the Democratic People's Republic of Korea's (DPRK) 10-year-long clandestine operation all aimed at stealing money and trade secrets from Western companies to bolster the communist regime – often with the help of China, Russia, and other like-minded nations.

From front companies, Faceswap, and impersonating IT recruiters on LinkedIn, to supply chain attacks, crypto heists, and stealing aerospace defense trade secrets, North Korean IT worker scams are showing no signs of slowing down, despite law enforcement and the private sector meticulously disclosing their inner workings.

ADVERTISEMENT

Here is the round-up of the biggest North Korean tech worker scams hitting the headlines this week. We start with the obvious FBI seizure of four domains directly associated with DPRK IT Worker front companies, originally identified by Sentinal Labs.

DPKR IT front companies impersonate US tech firms

The fraudulent websites were first identified by Sentinel threat hunters based on their unique characteristics, with one site active as late as May before the US government took them down.

The fake company sites – including the many more said to be still up and running – are created to mimic the online brands of legitimate tech organizations, often posing as IT consulting or software development outsourcing firms.

Sometimes the websites are exact replicas; logo, design, format, and all. In other instances, more effort is put into the creations with additional elements, such as stolen ‘Company Reviews’ and ‘About Us’ sections, sourced from a patchwork of other legitimate websites.

The four company websites seized by the FBI after the Sentinal discovery included:

ADVERTISEMENT
  • US software firm Kitrum faked as Independent Lab LLC. (inditechlab[.]com)
  • Indian-based Urolime Technologies faked as Shenyang Tonywang Technology LTD. (tonywangtech[.]com)
  • ArohaTech USA faked as Tony WKJ LLC. (wkjllc[.]com)
  • iTechArt in Belarus faked as HopanaTech. (hopanatech[.]com)
Sentinel Labs fake IT worker front company websites
DPRK IT worker front company website Independent Lab LLChot (shown left) is a replica design of a legitimate website belonging to US-based custom software firm Kitrum (shown right). Images by Sentinel Labs.

Some of the websites are said to center around the ‘Contact Us’ form, "enticing visitors to engage in communications, providing no contact details on the website itself,” the Sentinel Labs advisory stated.

Additionally, all the seized domains were found registered through Name Cheap, based in Arizona, with two sites hosted by InterServer in New Jersey, and the others hosted by companies in India and Asia.

The researchers said they believe “with high confidence” the four domains are directly connected to a “larger set of organizations based in China.”

Other nations known as home bases for North Korean front companies include China, Russia, Southeast Asia, and Africa – all playing “a key role in masking the workers’ true origins and managing payments,” they said.

Microsoft talks tactics at CYBERWARCON

Besides the FBI bust-up featured by Sentinel One, Microsoft also took time on Friday to divulge a compilation of the latest North Korean IT worker scams at the CYBERWARCON 2024 conference taking place in Virginia.

Microsoft presented a bevy of new DRPK scam tactics at the one-day conference, which is aimed at identifying and exploring threats among government, military, academia, media, and the private sector.

Microsoft says North Korea’s ten years-in-the-making “computer network exploitation capability” has enabled the communist government to “steal billions of dollars in cryptocurrency, as well as target organizations associated with satellites and weapons systems,” via multiple zero-day vulnerabilities.

ADVERTISEMENT

Microsoft found that DRPK IT workers' threats to US national security included generating funds to support the nation’s weapons program, stealing information about defense-related technology, weapons systems, sanctions information, and policy-related decisions before they occurred.

Labeling North Korean IT workers as a "triple threat," Microsoft points out that the workers often must use so-called "facilitators" to first create an account on a freelance job website, which involves setting up a portfolio to show “examples” of previous work.

This may explain the hundreds of fake profiles and portfolios for North Korean IT workers Microsoft observed on developer platforms like GitHub, and social media sites like Linkedin.

Last month, Microsoft researchers said they discovered a public repository chock full of North Korean IT worker files. The cache was noted to contain job-related files including:

  • Resumes, headshots, and email accounts of IT workers
  • LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts
  • Wallet information and suspected payments made to facilitators
  • Playbooks on how to carry out identity theft and how to navigate freelancer websites and bid on jobs without getting flagged
  • VPS and VPN accounts along with specific VPS IP addresses

The researchers also discovered workers utilizing free AI tools, such as “Faceswap,” to edit the headshots to look more professional, even reusing them on multiple resumes and online profiles to apply for jobs.

The bad actors would also use Faceswap to “move their picture over to documents that they have stolen from victims,” Microsoft said.

Microsoft blog on North Korean IT workers scams
Photos of potential North Korean IT workers. Use of AI apps to modify photos. LinkedIn profile since been taken down. Two resumes use different versions of the same photo. GitHub Profile since taken down. (From R to L clockwise) Images by Microsoft.
ADVERTISEMENT

The IT workers were also found experimenting with other AI technologies to refine their attack techniques, including voice-changing software, which could be used to trick interviewers into thinking they are communicating with someone other than a North Korean IT worker.

Although there is no evidence of this to date, Microsoft says “this could allow the North Korean IT workers to do interviews directly and not have to rely on facilitators obtaining work for them by standing in on interviews or selling account access to them.”

Posting a summary of its findings in a Microsoft security blog, the tech giant said tracking the North Korean threat actors is challenging due to the vast number of parties and activities involved in the operations, which can include creating accounts on various platforms, accepting payments, and moving money to North Korean IT worker-controlled accounts.

What’s the end goal for North Korea?

The mission for the North Korean workers is to “secure remote jobs and freelance contracts with businesses worldwide,” providing a pathway for funds and/or trade secrets (earned or stolen) to be laundered back to DPRK, thereby evading sanctions.

Although the workers often use “fake identities and forged credentials,” many of them are highly skilled in areas like “software development, mobile applications, blockchain, and cryptocurrency technologies,” Sentinel noted, making it even harder to distinguish between real and fake applicants.

Ernestas Naprys Paulina Okunyte Konstancija Gasaityte profile Niamh Ancell BW
Don’t miss our latest stories on Google News

In October, research by SecureWorks revealed another IT worker scam – perpetuated by a North Korean-linked group known as Nickel Tapestry – operating multiple ”laptop farms” of these so-called IT workers.

The “workers” would apply for developer positions in Western companies using “stolen or falsified identities,” with some taking on multiple personalities for the scam by using ‘Splitcam’ live-streaming software – which allows the user to create an AI clone of themselves – to carry out video calls, hiding their identity and location.

Once hired, the workers would steal the company's trade secrets and hold them for ransom for profit, a new tactic not seen before.

ADVERTISEMENT