Security Intelligence
Loading table of contents...
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has imposed sanctions on two individuals and four entities linked to schemes that have used North Korean IT workers to generate illicit revenue for the North Korean government.
According to the Treasury Department, the North Korean ‘IT warriors’ conceal their true identities to fraudulently secure freelance contracts in software and mobile application development with Western companies. Once they are employed, the DPRK government reportedly takes up to 90% of their earnings, estimated to be hundreds of millions of dollars annually, and funnels it into its weapons of mass destruction (WMD) and ballistic missile programs.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The sanctioned entities include Department 53 of North Korea’s Ministry of the People's Armed Forces, which operates two front companies—Korea Osong Shipping and Chonsurim Trading Corporation—used to manage IT workers based outside of NK.
Additionally, the China-based Liaoning China Trade Industry Co., Ltd, has been sanctioned for supplying equipment to support these activities. The individuals sanctioned are Jong In Chol, president of Chonsurim's IT worker delegation in Laos, and Son Kyong Sik, chief representative of Korea Osong Shipping in China.
This action is part of ongoing efforts by the U.S. government to disrupt financial streams that support Pyongyang's strategic objectives at the expense of Western companies.
Source: The Hacker News
Analysis
North Korea leverages its fraudulent IT worker program to generate illicit revenue and gather intelligence in support of its strategic initiatives, including the development of nuclear weapons and ballistic missiles. Although the scheme has been active since at least 2018, it only gained significant attention from law enforcement agencies starting in 2023.
The operation involves North Korean workers posing as freelancers to secure IT-related jobs with Western firms. To appear credible, they use fake personas—sometimes AI-generated—or adopt stolen identities, including those of U.S. citizens, to enhance their resumes and succeed in job interviews. By late 2024, the scheme evolved further, with some fraudulent workers resorting to extortion by demanding ransoms in exchange for not leaking stolen information.
This operation is believed to affect hundreds, if not thousands, of positions globally. While only a small percentage of these roles result in data exfiltration or extortion, the scale and sophistication of the scheme highlight the persistent threat it poses to organizations worldwide.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including North Korean state-sponsored actors. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends scrutinizing job application invites sent via email, messaging services such as WhatsApp, and social media. Take into consideration that the individuals contacting them could be fake, and always make efforts to verify the recruiter’s identity and association with the company they claim to represent. Generally, if an offer is too good to be true, it probably is.
Field Effect users are encouraged to submit suspicious emails, including job offers, to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
