Beware of Imposters *Update*
This is an update to a previously released article as a result of the recent FBI Bulletin on this topic. Please refer to the prior article for more information and protective measures to implement.
What is new?
In July 2024, the FBI issued a Counterintelligence Bulletin about North Korean Nationals gaining remote IT jobs within U.S. businesses.
Threat Overview
The Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) dispatches thousands of highly skilled IT workers around the world, who use stolen or borrowed U.S. persons’ identities to pose as domestic workers, infiltrate the network of U.S. businesses, and generate revenue that contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and United Nations (U.N.) sanctions. These IT workers take advantage of existing demands for specific IT skills – in areas such as software, mobile applications, virtual currency exchange platform and coin development, graphic animation, and artificial intelligence-related applications – to obtain employment contracts from international clients, including in North America, Europe, and East Asia. In many cases, DPRK IT workers represent themselves as U.S.-based and/or non-North Korean teleworkers. The workers also at times further obfuscate their identities and location by sub-contracting work to non-North Koreans. Although DPRK IT workers normally engage in IT work distinct from malicious cyber activity, they have in a limited number of instances used the privileged access gained through employment as contractors or employees to perform malicious cyber activity.
Potential Indicators of DPRK IT Workers[1]
The following are suspicious activities that can be indicative of DPRK IT worker schemes. These indicators, however, are not limited to any individual, group, or business and should assessed in context:
- Unwillingness or inability to appear on camera, conduct video interviews or video meetings, inconsistencies when they do appear on camera, such as time, location, or appearance, or inability to communicate in real-time;
- Inability to conduct business during required business hours and/or failure to complete tasks in a timely manner or to respond to tasks;
- Inconsistencies in name spelling, nationality, claimed work location, contact information, educational history, work history, social media profiles and otherdetails across a developer’s freelance platform profiles, social media profiles, external portfolio websites, payment platform profiles, and assessed location and hours;
- Undue concern about requirements of a drug test, in person meetings, fingerprinting or providing additional biometrics or being unable to do so;
- Incorrect or changing contact information, specifically phone numbers and emails, and/or biographical information which does not appear to match the applicant;
- Address inconsistencies including the home address for provision of laptops or other company materials is a freight forwarding address, the home address rapidly changes upon hiring; or requests for the employer to send documents or equipment to an address not listed on employee’s identification documentation;
- Multiple logins into one account from various IP addresses in a relatively short period of time, especially if the IP addresses are associated with different countries and/or developers logging into multiple accounts on the same platform from one IP address;
- Use of digital payment services or seeking payment in virtual currency to evade know-your-customer (KYC)/anti-money laundering (AML) measures and use of the formal financial system;
- Frequent transfers of money through payment platforms, especially to China-based bank accounts, and sometimes routed through one or more companies to disguise the ultimate destination of the funds;
- Asking co-workers to borrow some of their personal information to obtain other contracts.
[1] An indicator or indicators alone do not accurately determine if a DPRK IT worker has applied or has gained employment; organizations should evaluate the totality of the observed activity and other relevant circumstances before notifying security/law enforcement personnel
Report Suspicious Activity
The FBI provides the above information to inform the private sector about DPRK IT worker schemes and potential indicators to be aware of to protect against being victimized by these schemes. The FBI is interested in information regarding suspected DPRK IT workers activities, as well as potential intermediaries and facilitators. Report information to your local FBI field office or other local Counterintelligence Task Force representative.
How could this affect my company?
There are reputational risks and potential for legal consequences, including sanctions under U.S. and United Nations (UN) authorities, for individuals and entities engaged in or supporting North Korean IT worker-related activity and processing related financial transactions. A company could also face potential risks such as theft of trade secrets, sabotage, and export violations.
Although North Korean IT workers normally engage in IT work unrelated to malicious cyber activity, they have used the privileged access gained as contractors to enable North Korea’s malicious cyber intrusions.