FBI warns of North Korean cyberspies posing as foreign IT workers

Pay close attention to that resume before offering that work contract.

The FBI, in a joint advisory with the US government Departments of State and Treasury, has warned that North Korea's cyberspies are posing as non-North-Korean IT workers to bag Western jobs to advance Kim Jong-un's nefarious pursuits.

In guidance [PDF] issued this week, the Feds warned that these techies often use fake IDs and other documents to pose as non-North-Korean nationals to gain freelance employment in North America, Europe, and east Asia. Additionally, North Korean IT workers may accept foreign contracts and then outsource those projects to non-North-Korean folks.

Once Kim's crew are hired by private-sector firms, they'll either use their newfound corporate network access for cybercrime — cryptocurrency theft, ransomware, and cyberespionage are some of the Supreme Leader's favorites. Or, they'll simply send their paychecks to North Korea to fund that government's other hobbies, such as developing weapons of mass destruction and ballistic missiles.

From the alert:

An overseas DPRK IT worker earns at least ten times more than a conventional North Korean laborer working in a factory or on a construction project overseas. DPRK IT workers can individually earn more than $300,000 a year in some cases, and teams of IT workers can collectively earn more than $3 million annually. A significant percentage of their gross earnings supports DPRK regime priorities, including its WMD program.

It's worth noting that all of these activities are subject to US and United Nations sanctions. Anyone who hires or supports North Korea government-backed workers, including processing financial transactions, may face legal consequences themselves.

According to the alert: "These IT workers take advantage of existing demands for specific IT skills, such as software and mobile application development, to obtain freelance employment contracts from clients around the world, including in North America, Europe, and East Asia." 

The freelancers may represent themselves as US-based or non-North Korean teleworkers. Additionally, they may use VPNs or third-country IP addresses, or even subcontract their work to non-North Koreans to "further obfuscate their identities," it warned.

• Cryptocurrency laundromat Blender shredded by US Treasury in sanctions first
• US warns North Korean Lazarus gang rising against cryptocurrency outfits
• Feds offer $5m reward for info on North Korean cyber crooks
• North Korea's Lazarus cyber-gang caught 'spying' on chemical sector companies

The security advisory includes two dozen "red-flag indicators" that businesses employing freelance developers, and organizations that provide freelance employment and payment systems, should pay close attention to. It also lists nearly as many potential mitigation measures. 

These include verifying all documents and websites submitted, conducting video interviews and pre-employment background checks, avoiding payments in virtual currency, verifying banking information, and being on the lookout for small-scale, unauthorized transactions.

In one such case, we're told, North-Korean developers employed by a US firm charged the company's payment account and stole more than $50,000 in small installments over the course of several months. 

"The US company was not aware the developers were North Korean or of the ongoing theft activity due to the slight amounts," the alert noted.

This joint security advisory follows several other alerts issued and actions taken by Uncle Sam that attempt to end Kim Jong-un's illegal money-making endeavors.

In April, the Feds offered a reward up to $5 million for information that helps disrupt North Korea's cryptocurrency theft, cyber-espionage, and other illicit state-backed activities. Around the same time, a US court sentenced an American citizen to more than five years behind bars, and fined him $100,000, for providing cryptocurrency and blockchain technical advice to North Korea in breach of sanctions. 

Also in April, the Feds attributed the $620 million Axie Infinity heist to North Korea's Lazarus Group, and fingered the gang's getaway wallet address. 

Earlier this month, the Treasury sanctioned cryptocurrency mixer Blender for its role in helping Lazarus Group launder stolen digital assets. ®