HOW DPRK IT WORKERS OPERATE

HOW DPRK IT WORKERS OPERATE

HOW DPRK IT WORKERS OPERATE

DPRK IT workers target freelance contracts from employers located in wealthier nations, including those in North America, Europe, and East Asia. In many cases, DPRK IT workers present themselves as South Korean, Chinese, Japanese, or Eastern European, and U.S.-based teleworkers.

In some cases, DPRK IT workers further obfuscate their identities by creating arrangements with third-party sub-contractors. These sub-contractors are non-North Korean, freelance IT workers who complete contracts for the DPRK IT workers. DPRK IT managers have also hired their own teams of non-North Korean IT workers who are usually unaware of the real identity of their North Korean employer or the fact that their employer is a DPRK company. The DPRK IT managers use their outsourced employees to make software purchases and interact with customers in situations that might otherwise expose a DPRK IT worker.

Although DPRK IT workers normally engage in non-malicious IT work, such as the development of a virtual currency exchange or a website, they have used the privileged access gained as contractors to enable DPRK’s malicious cyber intrusions. Some overseas-based DPRK IT workers have provided logistical support to DPRK-based malicious cyber actors, although the IT workers are unlikely to be involved in malicious cyber activities themselves. DPRK IT workers may share access to virtual infrastructure, facilitate sales of data stolen by DPRK cyber actors, or assist with the DPRK’s moneylaundering and virtual currency transfers.

DPRK IT workers have also assisted DPRK officials in procuring WMD and ballistic missile-related items for the DPRK’s prohibited weapons programs.

There are instances where workers are subjected to human trafficking, including forced labor. Credible reports show many DPRK workers overseas are subjected to excessive work hours, constant and close surveillance by North Korean government security agents, unsafe and unsanitary living conditions, and little freedom of movement. The North Korean government withholds up to 90 percent of wages of overseas workers which generates an annual revenue to the government of hundreds of millions of dollars.

DPRK IT Workers: Skills and Platforms

DPRK IT teams abroad most commonly obtain freelance jobs through various online platforms. Companies use these platforms to advertise contracts for projects that freelance IT developers can bid on. Less commonly, the DPRK IT teams find local, non-DPRK nationals to serve as the nominal heads of companies that are actually controlled by North Koreans. There have also been instances in which DPRK IT teams appear, on paper, to work for a legitimate local company but pursue their own business independently – and in return for hiding their North Korean origins, the DPRK IT team will pay a fee to the foreign company. DPRK IT teams often include members proficient in a foreign language, such as English or Chinese.

DPRK IT workers use a wide variety of mainstream and IT industry-specific freelance contracting platforms, software development tools and platforms, messaging applications, and social media and networking websites to obtain development contracts for companies around the world, as well as utilizing a number of digital payment platforms and websites to receive payment for their work. DPRK IT workers also use virtual currency exchanges and trading platforms to manage digital payments they receive for contract work as well as to launder and move funds they receive.

DPRK IT Workers: Hiding Their Identity

DPRK IT workers deliberately obfuscate their identities, locations, and nationality online, often using non-Korean names as aliases. They will also use virtual private networks (VPNs), virtual private servers (VPSs), or utilized third-country IP addresses to appear as though they are connecting to the internet from inconspicuous locations and reduce the likelihood of scrutiny of their DPRK location or relationships. DPRK IT workers generally rely on the anonymity of telework arrangements, use proxies for account creation and maintenance, and favor the use of intermediaries and communications through text-based chat instead of video calls.

DPRK IT workers use proxy accounts to bid on, win, work on, and get paid for projects on freelance software developer websites. These proxy accounts belong to third-party individuals, some of whom sell their identification and account information to the DPRK IT workers. In some cases, DPRK IT workers pay fees to these individuals for use of their legitimate platform accounts. DPRK IT workers may populate freelance platform profiles with the real affiliations and work experience of the proxy.

At times, DPRK IT workers engage other non-North Korean freelance workers on platforms to propose collaboration on development projects. A DPRK IT worker takes advantage of these business relationships to gain access to new contracts and virtual currency accounts used to conduct the IT work over U.S. or European virtual infrastructure, bypassing security measures intended to prevent fraudulent use. In establishing accounts with the aid of other freelance workers, DPRK IT workers may claim to be third-country nationals who need U.S. or other Western identification documents and freelance platform accounts to earn more money.

Hiding their real locations allows DPRK IT workers to violate terms of service agreements for the online platforms and services they use for their activities. As part of their tradecraft, DPRK IT workers may also use single, dedicated devices for each of their accounts, especially for banking services, to evade detection by fraud prevention, sanctions compliance, and anti-money laundering measures.

DPRK IT workers routinely use counterfeit, altered, or falsified documents, including identification documents, and forged signatures—either that they have made themselves using software such as Photoshop, or that they have paid a document forgery company to alter, combining the IT worker’s own or a provided photo with the identifying information of a real person. DPRK IT workers commonly procure forged documents such as:

driver’s licenses,
social security cards,
passports,
national identification cards,
resident foreigner cards,
high school and university diplomas,
work visas, and
credit card, bank, and utility statements.

In some instances, these identities are stolen, while in others the DPRK IT workers have solicited a non-North Korean national to set up an account using their own personal information or information to which they have access, after which control of the account is transferred to the DPRK IT workers for a fee. This allows the DPRK IT worker to conceal their identity when bidding on and completing freelance projects for clients online, using the infrastructure of the real account holder via remote desktop access. Each IT worker often uses multiple identities and accounts, which can also be shared between IT workers on the same team. These accounts and identities purport to be from countries from every part of the world.

DPRK IT workers may steal the customer account information of U.S. or international banks to verify their identities with freelance platforms, payment providers, and companies employing the DPRK IT workers. In at least one case, DPRK IT workers forged checks using stolen bank account information. Accounts and resumes associated with DPRK IT worker’s proxy identities often include falsified, but realistic and detailed education and employment history information, including false contact information for educational institutions and previous employers.

DPRK IT workers may also populate their online developer profiles’ employment sections with the names of small or mid-sized Western companies so that the DPRK IT workers appear to be reputable Americans or Europeans when bidding on projects. They may use the names of actual employees and email addresses that appear similar to the Western company’s legitimate domain.

DPRK IT workers additionally falsify statement of work agreements, invoices, client communication documentation, and other documents for use with freelancing platforms, likely to satisfy know-yourcustomer and anti-money laundering (KYC/AML) measures or similar procedures that platforms have in place to ensure the legitimacy of user activity. These falsified documents may have minimal contact details to deter verification.

DPRK IT workers may also attempt to mask their nationality by representing themselves as South Korean or simply “Korean” citizens.

DPRK IT workers who obtain freelance positions with an unwitting company have also been known to subsequently recommend to the company the freelance employment of additional DPRK IT workers.

Resume of a DPRK IT Worker

DPRK IT workers advertise skills working on system and program development, database management systems, and use of a wide variety of common languages, frameworks, tools, and cloud resources. These often include strong skills in a number of coding and markup languages. A majority of DPRK IT worker projects are related to mobile and web app development. DPRK IT workers also use collaborative platforms and hosting services for data and workflow management. These workers often report experience with a variety of databases and are familiar with the cloud and analytics products and services from major providers. Additionally, DPRK IT workers incorporate digital payment and e-commerce platforms in their work.

DPRK IT workers build “portfolio” websites, generally simple in design, in an effort to boost the credibility of their fabricated, freelance developer personas. These virtual portfolios represent the work of DPRK IT workers’ personas and are often linked to their online freelance developer accounts. Information on these websites, including contact information and location, as well as work history and education, is likely to be false.

Table of Contents