North Korean hackers pose as experienced IT freelancers to land employment

FBI warns about skilled software and mobile app developers from North Korea posing as “non-DPRK nationals” and freelancers

Criminals fake work experience to get freelance jobs in IT companies in wealthier countries and steal important state-related data

The US government agencies warned people about the Democratic People's Republic of Korea that launched the new campaign. IT workers try to get freelance jobs at companies across the world to obtain privileged access that can be used to facilitate cyber attacks.^[1] Hackers pose as non-DPRK nationals in hopes of getting freelance jobs in various IT companies.^[2] It is speculated that these IT workers are targeting these freelance jobs at organizations in wealthier countries forced by their government.^[3]

These people used various methods to hide the North Korean origins and avoid sanctions from the United Nations and the United States for supporting the DPRK regime. The joined advisory from the US Department of State, the Department of the Treasury, and the Federal Bureau of Investigation state that these hackers targeted financial, social media, sports, health, entertainment, and lifestyle-focused companies.

The particular countries these alleged skilled IT workers wanted to seek jobs in include East Asia, Europe, and North America. Most of these dispatched workers are situated in China, Russia, Africa, and Southeast Asia. The warning aims to stop the particular stream of revenue that workers create and financially support the development of nuclear and ballistic guns.

The North Korean government withholds up to 90 percent of wages of overseas workers which generates an annual revenue to the government of hundreds of millions of dollars

Workers aiming to land jobs in the crypto platform and software development

DPRK IT workers are known to take on projects that involve cryptocurrency, and this is a contribution to the general interest in the technology and the history where the country is involved in targeted attacks.^[4] These attacks and malicious campaigns are often aimed at the financial sector.

The main areas where these developers aim are jobs that include software development, cryptocurrency platforms, graphic animation, online gambling, mobile games, dating, AI, and VR applications. They also aim to be involved in hardware and firmware development, biometric recognition software, and database management.

These hackers, backed by their government, abuse the privileged access obtained as contractors. This is the way to provide logistical support to North Korean state-sponsored groups or share the access to infrastructure virtually, sell stolen information, and get involved in money laundering and cryptocurrency transfers.

Identification factors for the criminals

These hackers try to evade identification and pass as individuals from non-sanctioned countries. These people change their names and use VPN connections and other IP addresses from other regions than North Korea.^[5] Hackers often rely on various bidding platforms to get work and buy accounts from individuals with no DPRK affiliation on their profile. They take advantage of the persona that the account belongs to, so the work experience can help them get freelance jobs easier.

Possible red flags that may appear on such accounts addressing job offers:

• multiple logins into one account from different IP addresses;
• multiple accounts on the same platform from one IP address;
• logging into accounts for one or more days at the time;
• use of ports like 3389 that are associated with remote desktop sharing software;
• using rogue client accounts on freelance work platforms to boost the rating;
• various developer accounts receiving the high ratings from one client account shortly;
• frequent money transfers via payment platforms to China-based accounts;
• seeking payments in virtual currency specifically.