Cybercrime
,
Fraud Management & Cybercrime
,
Governance & Risk Management
DOJ Indicts North Korean IT Workers for Using Remote Jobs to Fund Weapons Programs
U.S. federal prosecutors indicted 14 North Korean nationals for orchestrating long-running schemes to plant compatriots into Western companies as remote IT workers in an end run around long-standing sanctions against the totalitarian Pyongyang regime.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The conspirators, operating through North Korean controlled companies in China and Russia, used false, stolen and borrowed identities to disguise workers’ iderntities, securing remote work with U.S. companies and nonprofits. In November, prosecutors charged a Tennessee man for aiding North Korea’s ongoing efforts to obtain remote IT jobs, marking the second arrest this year in a nationwide crackdown on the growing scam (see: US Feds Arrest Man for North Korean Remote IT Worker Scam).
The indictment alleges four criminal counts including conspiracy to evade trade sanctions and conspiracy to commit wire fraud and money fraud, as well as conspiracy to commit identity theft.
Federal prosecutors launched this year a campaign to disrupt North Korea’s efforts to deceive U.S. companies into hiring its citizens for remote work. The scam poses significant cybersecurity risks, including the theft of sensitive business information for extortion, said Assistant Attorney General Matthew Olsen.
“To prop up its brutal regime, the North Korean government directs IT workers to gain employment through fraud, steal sensitive information from U.S. companies and siphon money back to the DPRK,” Deputy Attorney General Lisa Monaco said in a statement.
North Korean nationals have a history of using stolen identities to obtain remote jobs with Western companies, redirecting their earnings to support the regime and its development of weapons of mass destruction. Government ministries that dispatch workers to gain remote employment include the Munitions Industry Department, which oversees production of nuclear weapons and ballistic missiles. Also active are the Ministry of Atomic Energy Industry and agencies inside the North Korean ministry of defense and military.
The indictment follows warnings that fraudulent North Korean workers are now stealing corporate intellectual property with plans to exploit it for extortion (see: North Korean IT Scam Workers Shift to Extortion Tactics).
The indictment claims the 14 conspirators held roles from senior leadership to IT workers at sanctioned North Korean-controlled firms Yanbian Silverstar and Volasys Silverstar, which employed over 130 North Korean IT staff, known internally as “IT Warriors.” The conspirators were tasked with earning at least $10,000 monthly and generated $88 million over six years by stealing sensitive company data, including proprietary source code, and extorting employers with threats to leak it.
Fraudulent North Korean IT workers routed their salary payments funds through Chinese banks for eventual use by Pyongyang, according to Michael Barnhart, Principal Analyst at Mandiant, Google Cloud.*
The Google subsidiary has observed a rise in extortion attempts by those fraudulent workers, who, for the first time, are following through on threats to release sensitive data from infiltrated organizations to pressure victims into paying steep ransoms.
“They’re also demanding more cryptocurrency than they ever have before,” Barnhart said in a statement. “Revealing the individuals and calling out their locations also sends a message that they’re no longer anonymous pseudonyms in an unknown region.”
Federal prosecutors are also pursuing U.S. citizens involved in aiding North Korea’s remote work schemes. In May, an Arizona woman was charged with bypassing sanctions to help North Koreans secure IT jobs at Fortune 500 companies, with prosecutors alleging at the time the fraudulent workers stole data from a multinational restaurant chain and a classic American clothing brand (see: US FBI Busts North Korean IT Worker Employment Scams).
North Korean IT workers pose a sophisticated, persistent threat to businesses rapidly hiring contract workers, U.S. Attorney Sayler Fleming warned.
“North Korean IT workers continue to find ways to evade detection,” Fleming said in a statement. “Businesses need to closely vet employees to avoid having their sensitive data stolen and unwittingly funding North Korea’s government.”
The State Department announced a $5 million reward for information on the companies and individuals involved, including Jong Song Hwa, Ri Kyong Sik, Kim Ryu Song, Rim Un Chol, Kim Mu Rim, Cho Chung Pom, Hyon Chol Song, Son Un Chol, Sok Kwang Hyok, Choe Jong Yong, Ko Chung Sok, Kim Ye Won, Jong Kyong Chol, and Jang Chol Myong.
*Updated Dec. 12, 2024, 22:20 UTC: Adds comments from Mandiant’s Michael Barnhart.