China helps North Korean operatives land IT roles, bypassing sanctions

Dive Brief:

Chinese front companies are helping North Korean IT workers get jobs and evade international sanctions, according to a report from strategic intelligence firm Strider Technologies.
Firms affiliated with the Chinese government have also supplied equipment to North Korean IT workers, Strider said in the report published Tuesday.
North Korean IT workers conduct ransomware operations, manipulate cryptocurrency markets and develop commercial software that sometimes contains malicious code, according to the report

Dive Insight:

Accidentally hiring North Korean IT workers is one of the biggest risks facing global technology firms today. Strider’s report breaks down the infrastructure behind Pyongyang’s operation, the activities that its workers engage in and the consequences that businesses could experience after unwittingly hiring these workers.

North Korean IT workers sometimes steal intellectual property to help their government make technological advances, Strider warned. They also steal other sensitive data and send it home for use in espionage operations. Sometimes, the workers sell the information on the dark web.

Companies that hire these workers also need to worry about reputational damage, according to the report. “This risk is particularly acute for firms operating in sensitive industries such as defense, finance, and technology,” the report said.

Pyongyang’s campaign of IT worker deception benefits from Chinese aid. Strider identified a Chinese company under U.S. sanctions that shipped equipment for IT workers to Department 53 of the Ministry of the People’s Armed Forces, a North Korean unit that has engaged in weapons trading. “These shipments include computers, graphics cards, HDMI cables, and network equipment,” Strider’s report.

Strider said its third-party due-diligence platform identified 35 other organizations linked to the Chinese firm that could also be supporting North Korea.

“This network presents a significant risk to Western businesses, which may unknowingly engage with or rely on entities connected to North Korean operations, exposing them to potential sanctions violations and serious reputational harm,” Strider warned in its report.

The sophistication of North Korean IT worker schemes has attracted significant attention from threat intelligence researchers. On Monday, Flashpoint published a report that unpacked the different stages of a typical operation, from fake job references to discussions about where to ship company laptops. Flashpoint also uncovered messages suggesting that North Korean operatives were directing foreigners as part of the scheme.

Companies should improve their HR and security teams’ collaboration to avoid falling victim to North Korean IT worker scams, said Evan Gordenker, consulting senior manager for the Unit 42 threat intelligence team at Palo Alto Networks, which has produced reports on North Korea’s schemes.

“We have found that these operatives often slip through due to gaps between hiring and post-hire security,” Gordenker told Cybersecurity Dive via email, “but we’ve seen some practical defenses work.”

Security teams should train HR interviewers to look for red flags, thoroughly verify applicants’ identities, and set up “tripwires” to detect suspicious activity, such as the use of anonymizing services and unauthorized remote access technology.

Ben Read, senior manager of Google’s Threat Intelligence Group, agreed on the need for “a unified response from recruiting, human resources, IT and security.”

“By training human resources departments to spot inconsistencies and broadly teaching them IT worker tactics, techniques, and procedures ( TTPs),” he said via email, “simple and personalized interview questions can often trip up IT workers and uncover these inconsistencies quite quickly.”