Threat actors linked to the Democratic People’s Republic of Korea (DPRK) impersonate US-based software and technology consulting companies to achieve their financial targets as part of a broader information technology (IT) worker scheme.
“Shock companies, often based in China, Russia, Southeast Asia and Africa, play a key role in masking the true origins of workers and managing payments,” SentinelOne security researchers Tom Hegel and Dakota Carey said in a report shared with The Hacker News.
North Korea’s network of IT workers, both individually and under the guise of front companies, is seen as a method of evading international sanctions imposed on the country and generating illicit income.
A global company that is also tracked as Vagemol Palo Alto Networks Unit 42, involves using fake IDs to get jobs at various companies in the US and elsewhere, and funneling huge chunks of their earnings back to the Hermit Kingdom in an attempt to finance their weapons of mass destruction (WMD). and ballistic missile programs.
In October 2023 the US government said it seized 17 websites posing as US IT companies to defraud businesses at home and abroad, allowing IT workers to hide their true identity and location while applying online for remote jobs around the world.
The IT workers were found to be working for two companies based in China and Russia, namely Yanbian Silverstar Network Technology Co. Ltd. and Volasys Silver Star.
“These IT workers funneled the proceeds of their fraudulent IT work back to the DPRK using online payments and Chinese bank accounts,” the US Department of Justice (DoJ) said at the time.
SentinelOne, which analyzed four new North Korean IT worker front companies, said they were all registered through NameCheap and claimed to outsource development, consulting and software, copying their content from legitimate companies –
- Independent Lab LLC (inditechlab(.)com), which copied the website format of the American company Kitrum
- Shenyang Tonywang Technology L TD (tonywangtech(.)com), which copied the website format of the American company Urolime
- Tony WKJ LLC (wkjllc(.)com) who copied the website format of the Indian company ArohaTech IT Services
- HopanaTech (hopanatech(.)com), which copied the format of the website of the American company ITechArt
Despite the fact that October 10, 2024 The U.S. government seized all of the aforementioned sites, SentinelOne said it traced them to a larger, active network of shell companies originating in China.
Additionally, another company called Shenyang Huguo Technology Ltd (huguotechltd(.)com) was discovered to exhibit similar characteristics, including using copied content and logos from another Indian software firm, TatvaSoft. The domain was registered through NameCheap in October 2023.
“These tactics highlight a sophisticated and evolving strategy that uses the global digital economy to finance government activities, including weapons development,” the researchers said.
“Organizations are encouraged to implement robust vetting processes, including due diligence on potential contractors and suppliers, to reduce risk and prevent unwitting support for such illegal operations.”
The disclosure follows Unit 42’s findings that the North Korean IT Worker Activity Cluster, which it calls CL-STA-0237, “has been involved in recent phishing attacks using video conferencing software infected with malware” to deliver the BeaverTail malware, which shows a connection between Wagemole and another intrusion kit known as Contagious Interview.
CL-STA-0237 used a US small and medium business (SMB) IT services company to apply for other jobs. said. “In 2022, CL-STA-0237 was offered a position at a major technology company.”
While the exact nature of the relationship between the threat actor and the exploited company is unclear, it is believed that CL-STA-0237 either stole the company’s credentials or was hired as an outsourced employee and is now impersonating the company , to secure IT jobs and target potential job seekers with malware under the guise of conducting an interview.
“North Korean threat actors have been very successful in generating profits to fund illicit activities within their country,” Unit 42 said, noting that the cluster likely operates out of Laos.
“They started by impersonating fake IT workers to ensure steady streams of income, but began to move into more aggressive roles, including engaging in insider threats and malware attacks.”
