North Korean IT workers ‘have infiltrated Australian businesses’, experts warn
By David Swan
A senior Google executive has warned that fake IT workers from North Korea have infiltrated Australian businesses as part of a complex multi-year scheme to commit wire fraud, money laundering and identity theft.
The US Department of Justice overnight announced indictments against 14 North Korean nationals, who allegedly posed as remote IT workers and used stolen identities and AI-generated credentials to infiltrate US-based companies.
The US Justice Department has announced indictments against 14 North Korean nationals who allegedly posed as remote IT workers to infiltrate US-based companies.Credit: AP
The 14 workers – whose names and photos were released by the Justice Department – allegedly were mandated to earn a minimum salary of $US10,000 ($16,000) monthly, to be siphoned back to North Korea, and extorted their employers by stealing sensitive data and threatening to release it unless payments were made. In total, $US88 million was then allegedly used to help fund Pyongyang’s weapons programs.
“The defendants, in various capacities, were associated with a sanctioned DPRK [Democratic People’s Republic of Korea] front company named Yanbian Silverstar, based in the People’s Republic of China [PRC], and a sanctioned DPRK front company named Volasys Silverstar, based in the Russian Federation,” the US Department of Justice indictment reads.
“In total, Yanbian Silverstar and Volasys Silverstar employed and retained at least 130 DPRK IT workers, known among the conspirators as “IT warriors”.
North Korean IT workers were also allegedly found to “create money transfer service accounts to receive funds from their US employers and remit those funds to PRC-based banks for eventual use by the DPRK”.
The conspiracy lasted for at least six years, the indictment said, while the US companies were not identified. The US State Department is offering a $US5 million reward for information on the 14 North Korean nationals.
John Hultquist, chief analyst at Google-owned cybersecurity business Mandiant, told this masthead he has evidence that North Korean IT workers are impersonating Australians and being employed in Australian projects.
“As pressure has increased in the US, we have seen these IT workers shift their focus to other countries where employers are less familiar with this scheme and they are likely to meet less scrutiny,” Hultquist said.
Mandiant chief analyst John Hultquist.
“These North Koreans are legitimately skilled people in many cases, and they’re good at their jobs. And they’re IT workers, so they’re getting access to the most sensitive systems by virtue of their job.
“Our concern is that this is about as serious as a threat gets, and it’s a looming threat for Australia. And we can already see evidence that they’re operating in Australia.”
Hultquist did not name the Australian businesses. He said local human resources executives should be on high alert for remote workers using fraudulent or AI-generated identity documents to apply for roles.
“With most cyber threats, the advice is to get a certain device or block IP addresses,” he said.
“This is not that type of threat. The HR group has to change the way they hire, and post-COVID, there’s an increasing number of remote employees, and those employees in some cases are not getting the same scrutiny that they’ve had in the past.
Australia’s Department of Foreign Affairs and Trade has urged businesses to closely scrutinise identity verification documents for forgery.Credit: Getty Images
“They’re getting access to serious financial data, which puts them in a position to steal a lot of money, and they’re getting access to critical infrastructure, which leads to very real national security concerns.”
Australia’s Department of Foreign Affairs and Trade has issued an advisory alert about the issue, urging businesses to closely scrutinise identity verification documents for forgery, and conduct video interviews to verify a worker’s identity. The department said businesses that hire North Korean IT workers might be in breach of Australian government sanctions, which could lead to prison time for executives or heavy fines.
“DPRK IT workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities and falsified or forged documentation to apply for jobs,” the department said.
“They target employers located in wealthier countries (including Australia), utilising a variety of mainstream and industry-specific freelance contracting, and social media and networking platforms.
“DPRK IT workers often take on projects that involve virtual currency. DPRK IT workers also use virtual currency exchanges and trading platforms to manage digital payments they receive for contract work as well as to launder these illicitly obtained funds back to the DPRK.”
Michael Barnhart, who heads Mandiant’s team tracking threats from North Korea, said that the “threat actors” have recently become more dangerous once they gain employment at Western organisations.
“We’re seeing IT workers follow through on releasing sensitive data of organisations they’ve infiltrated to pressure victims into paying exorbitant ransoms. They’re also demanding more cryptocurrency than they ever have before,” Barnhart said.
“We assess that the heightened media attention and ongoing government disruptions targeting their cyber operations this past year are forcing an escalation in their tactics.
“The latest indictments against key leaders of North Korea’s IT worker scheme represent an escalation from law enforcement agencies in disrupting these illicit operations ... Revealing the individuals and calling out their locations also sends a message that they’re no longer anonymous pseudonyms in an unknown region.”
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.