DPRK IT workers used fake IDs and purchased Upwork/LinkedIn accounts for developer jobs.

DPRK IT workers used fake IDs and purchased Upwork/LinkedIn accounts for developer jobs.

In a growing trend that poses significant security risks, North Korean IT workers are leveraging freelance platforms like Upwork and LinkedIn to infiltrate Western companies. These workers, often posing as legitimate remote developers, use fake identities and purchased accounts to secure jobs. According to recent reports, this tactic is part of a larger scheme aimed at generating illicit revenue for the North Korean regime and facilitating cyberespionage activities.

The US Treasury Department first warned about this tactic in 2022, highlighting the use of fake identities by North Korean IT workers to secure freelance contracts. These workers often pose as South Korean, Chinese, Japanese, or Eastern European, and as US-based teleworkers [1]. They use front companies in China, Russia, Southeast Asia, and Africa to mask their identities and secure jobs in Western companies.

A recent high-profile case involved Christina Chapman, who was convicted for orchestrating a scheme that enabled North Korean IT workers to pose as US citizens and residents using stolen identities. The conspiracy generated over $17 million in illicit revenue over three years [1]. Chapman ran a "laptop farm" hosting overseas IT workers' computers inside her home, making it appear that the computers were located in the US. She forged payroll checks and laundered salaries through bank accounts under her control.

The techniques used by North Korean agents have evolved, including disabling secure access service edge tools and abusing privileged access from one organization to infiltrate another [1]. These workers often use deepfake technologies, extortion scams, and advanced AI tools to evade detection. For instance, the software engineer hired by security awareness vendor KnowBe4 used a valid but stolen US-based identity and enhanced his application photo using AI tools from a stock image [1].

The growing body of evidence suggests that thousands of highly skilled IT workers from North Korea are seeking jobs worldwide. Mandiant reported that these workers acquire freelance contracts from clients around the world, although they mainly engage in legitimate IT work, they have misused their access to enable malicious cyber intrusions [1]. This trend is not limited to the US; European businesses are also targeted, with suspected DPRK workers undertaking projects in areas such as web development, bot development, content management system (CMS) development, and blockchain technology [1].

The increasing sophistication of these schemes underscores the need for companies to carry out tighter vetting of new hires. CISOs are urged to implement robust background checks and secure access service edge tools to mitigate the risk of infiltration by North Korean IT workers.

References:
[1] https://www.csoonline.com/article/4033022/how-not-to-hire-a-north-korean-it-spy-3.html