North Korean IT workers targeting US enterprises

The U.S. government warned that North Korean IT workers are infiltrating Western companies in search of sensitive corporate data.

A joint advisory from the U.S. Treasury Department, State Department and FBI on Monday explained how the Democratic People's Republic of Korea (DPRK) was seeding companies in the U.S., Europe and Asia with workers who lied about their nationalities in order to gain IT positions. While most of these IT workers are located in China and Russia, the advisory warned of "attempts" to gain employment at U.S. companies.

"The DPRK dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions," the advisory warned.

"These IT workers take advantage of existing demands for specific IT skills, such as software and mobile application development, to obtain freelance employment contracts from clients around the world, including in North America, Europe and East Asia."

Once in place, the advisory said, the workers can harvest essential information from their employers, such as details on economic or military programs.

"Although DPRK IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK's malicious cyber intrusions," the U.S. Treasury notice said. "Additionally, there are likely instances where workers are subjected to forced labor."

While cyberespionage can be the goal in some cases, the government agencies said that for the most part these North Korean IT workers operate as a source of income. Due to extensive international sanctions, the reclusive dictatorship is unable to generate much income and as a result it has turned to overseas workers who send paychecks back home.

In most cases, the advisory said, the North Korean IT workers pose as nationals of other countries. In many cases, the workers add a layer of obfuscation by using third-party contractors to set up their jobs.

Once in place, the workers will generally operate without causing any disruption, simply raising money for the government via their salaries. If the opportunity to collect sensitive information or exfiltrate secrets presents itself, however, some of the workers will take advantage.

"Some overseas-based DPRK IT workers have provided logistical support to DPRK-based malicious cyber actors, although the IT workers are unlikely to be involved in malicious cyber activities themselves," the advisory said.

"DPRK IT workers may share access to virtual infrastructure, facilitate sales of data stolen by DPRK cyber actors, or assist with the DPRK's money-laundering and virtual currency transfers."

To protect against possible attacks, the advisory recommended employers pay close attention to the documents and details provided by contracted workers and flag suspicious activity such as the use of outside payment services that could be hiding bank transactions.