North Korea has quietly seeded thousands of information technology (IT) professionals into contractors and subcontractors that serve the United States’ largest and most profitable companies. These workers operate under American or third country false identities. This IT army’s main objective is to earn money for the perpetually cash strapped Kim Jong Un regime. These funds support North Korea’s ballistic missile and nuclear programs and prop up Kim’s dictatorship.
In addition, North Korean arms are now findings their way into conflicts around the world. Russia has started to use North Korean missiles to conduct strikes inside Ukraine and North Korean munitions have been used by Hamas in attacks against Israel forces in Gaza. All of this is made possible because of funds flowing from IT workers into North Korean government coffers.
Moreover, the access that these North Korean infiltrators have gained within U.S. companies provides the Kim regime multiple vectors for the theft of intellectual property (IP), the holding of U.S. data hostage for ransom, attacks on critical infrastructure, and the launching of cyber attacks. Thus, American companies are unknowingly funding an enemy state dedicated to their own degradation and destruction.
The Danger
Since at least 2015, North Korea has exploited the use of remote IT workers to gain employment with companies around the world. The main purpose of this army of IT professionals is to generate revenue that circumvents international sanctions. This is a large and systemic problem, as IT and software development outsourcing is a massive market, expected to exceed $500 billion in 2024. Nearly two-thirds of U.S. companies outsource at least some of their IT and software engineering needs.
The danger goes beyond mere remittances to a dictator. Information technology is only one of many ways Kim Jong Un funds his regime. IT, however, is special. A North Korean remote IT worker has access to company networks, which means access to proprietary IP, data archives, production, internal tooling, plans, processes, and personnel. The North Korean infiltrators’ goal is to remain undiscovered; but if they are, they already have their hands on critical systems.
One industry source reported that North Koreans who had been discovered and fired then responded with extortion. The fired workers had maintained access to high-value code or systems that the company could not lose. This is a little-discussed form of ransomware attack.
Moreover, recent investigations by Palo Alto’s Unit 42 threat intelligence team uncovered evidence that North Korea’s traditional espionage and intrusion actor groups may now be cooperating. What does this mean? Imagine a Lazarus Heist-type theft or Sony hack enabled by malicious insiders operating as IT workers inside major U.S. companies.
Finally, U.S. companies that hire these workers face liability for evading sanctions. It is true that most U.S. firms employ North Korean IT support unwittingly. However, this is not a claim that the U.S. government can accept at face value. Running afoul of U.S. and international sanctions against North Korea can introduce a range of liabilities, including with the Treasury Department’s Office of Foreign Asset Control, as well as other national and international regulatory and law enforcement authorities.
The Scope
Given the covert nature of this operation, determining the precise number of North Korean IT professionals operating inside U.S. systems is impossible. However, interviews with one purported North Korean worker suggested more than 4,000 North Korean IT and software workers are deployed globally. The FBI estimated that each of these workers can generate up to $300,000 annually, with teams collectively exceeding $3 million each year.
Now that North Korea has reopened following the COVID-19 pandemic, it seems logical that the regime would send additional workers abroad, given previous successes.
An industry source with knowledge of the threat claims that the number of deployed North Korean IT professionals is probably more in the neighborhood of 8,000-12,000. And while many of these workers originally started operations out of Russia and China, they have also been identified in Southeast Asia, Africa, and the Middle East. The industry source indicated that efforts to uncover these workers inside U.S. companies have found them operating on internet infrastructure in these locations.
The Difficulty of Detection
The risk of hiring North Korean remote IT workers is not something most companies consider in their decision making. Corporate hiring and due diligence practices were never built to detect a nation-state using the full range of government resources for the sole purpose of seeding employees into foreign private companies.
Although many large U.S. corporations have built insider-threat programs designed to detect and mitigate both negligent and malicious activities, those programs vary widely in effectiveness. More importantly, few corporate insider-threat programs go so far as to apply their screening processes to contract employees. Many companies do not even know the identities or citizenship of remote contract employees, especially if those workers are offshore. Finally, once hired onto a project, the North Koreans take pains to avoid any activities that draw the attention of insider threat teams.
Some North Korean Tactics and Techniques
The first challenge infiltrators encounter is the hiring process. They need to get their foot in the door. The FBI’s two advisories on the topic provide us with some basic information on how this is accomplished, but industry sources tell us that North Koreans often pursue employment with contract IT companies. The number of these firms has grown dramatically since the COVID-19 pandemic, and they may not have as rigorous screening processes as larger corporations. Alternatively, North Koreans seek freelance IT work on major job platforms.
These workers operate under fake names using an array of stolen, forged, or fabricated identity documents from countries around the world, including the United States. They often use a combination of VPNs, noisy hosted IPs, and residential proxies to mask their real locations, as well as crafting complex scheduling and logistical programs to ensure they are present for remote calls and meetings in Western time zones.
North Korean workers rely to some degree on cryptocurrency and digital currency payment platforms for payment, thereby avoiding traditional financial industry fraud detection tools.
Recently, North Koreans are suspected to make use of generative AI tools like ChatGPT to build more realistic and understandable English-language content as well as develop identity verification documents that pass many counter-fraud tools.
The Adaptation and Evolution of the Threat
Industry sources argue that North Korea’s tradecraft and technological acumen are maturing. North Korea still sends manual laborers abroad, especially to Russia and China, but it has also expanded the skills repertoire of its workers. The first IT employees from North Korea were not very good compared to their colleagues from other countries. This has changed. Today, North Korean IT workers learn in-demand coding languages, including knowledge of leading-edge AI and ML products, to secure employment at prominent companies using the most advanced technologies.
Some IT workers fired by contract employers were considered to be excellent coders who delivered superior work products. Industry sources posit that some companies may be willing to overlook contract employment of a North Korean if their output significantly contributed to business operations.
Moreover, North Korean IT professionals have figured out new ways to conceal their identities. These workers frequently hire Western nationals to pose as them during job interviews or team meetings, and even operate their fake personas online using U.S. Internet infrastructure – all to avoid detection by insider threat and cybersecurity teams.
Some North Korean IT workers have established legitimate businesses in foreign countries, hired local nationals, and operated as remote IT staffing firms. These firms never touch U.S. or Western businesses and focus entirely on generating revenue from operations inside those countries.
Other enterprising North Koreans have paid college students in Western countries to allow use of a laptop in their dorm rooms or virtual machines on their school laptops, all to circumvent security controls deployed to detect malicious network activity outside the United States.
North Koreans are able to secure work in a remote IT capacity because of the virtual nature of much engineering work. Working from obscure, varied, and widely dispersed locations is not unusual in this industry, and thus often does not raise alarms. However, many companies require all employees, even contractors, to use corporate devices so that the corporate customers can maintain control over their endpoints. In these instances, North Koreans must obtain corporate devices. They do this via mail or commercial delivery.
IT departments and externally sourced IT vendors routinely ship devices to personal addresses provided by talent acquisition. In some cases, those locations have to match the purported location of the employee. Obviously, northwestern China, Russia, and Southeast Asia will not suffice in these situations. To solve this problem, North Korea relies on proxies to receive these devices somewhere in the United States.
An even more difficult problem is payment. Many employers require U.S. bank accounts to pay wages. It is not clear how North Korea evades the banking sector’s rigorous Know Your Customer regulations. One possibility is high quality counterfeit documents. Another is again the use of proxies to receive payment in exchange for a fee.
Mitigations
The North Korean IT worker threat poses a unique risk to U.S. firms and companies in Europe, Japan, South Korea, Australia, New Zealand, and elsewhere in the democratic developed world. Pyongyang has exploited a unique moment in the evolution of IT services’ business model to attack a target ill-suited to defend itself.
Few private companies are even aware of the threat, let alone constituted to address it effectively. Those that do will need to master cyber defense, insider threat, employee screening, geopolitics, and a combination of legal and employee privacy regulations.
But the threat can be mitigated. The development and maturation of fundamental security practices designed to protect companies from traditional risks is the place to start. Targeted investments in the following areas can increase the entry and operating costs for North Korean workers, and ultimately, put them out of business:
- design, deploy, and regularly audit employee hiring and identity verification processes;
- train talent acquisition and human resources on the threat and ensure they employ verification practices to weed out malicious actors;
- ensure cybersecurity and IT network defense personnel are trained on the threat and possess the necessary monitoring tools to anomalous activity indicating a potential risk;
- enable cybersecurity professionals to exchange approved threat intelligence with peers and through multilateral organizations like IT-ISAC;
- empower insider threat teams to conduct regular reviews of contract workforces to detect potential compromise; and
- instruct cybersecurity and insider threat teams to scrutinize government advisories on the North Korean threat, to ensure they have the most up-to-date information to perform investigations.
Geopolitical Implications
North Korea exists today only because of the support it receives from China. Beijing is aware of North Korea’s IT army and permits it to continue. Moreover, it is likely Beijing would use the thousands of deployed IT workers in a crisis if it served China’s national interests. The United States already suffers massive technology and IP theft from China; the North Korean IT workforce represents another potential weapon.
More imminently for U.S. and other Western businesses, China’s support for North Korea and its IT worker program in particular means that no diplomatic or governmental solution is possible. The private sector must take the lead in its own defense.