DPRK IT workers ‘posing as non-North Korean nationals’ warning

The US departments of State and Treasury, and the Federal Bureau of Investigation, have published an advisory document intended, they say, ‘for the international community, the private sector, and the public’ which warns of ‘attempts by [North Korean or ‘DPRK’] information technology (IT) workers to obtain employment while posing as non-North Korean nationals.’

The advisory reminds that there are reputational risks and ‘the potential for legal consequences, including sanctions designation under U.S. and United Nations (UN) authorities, for individuals and entities engaged in or supporting DPRK IT worker-related activity and processing related financial transactions.’

It says that the DPRK ‘dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions. These IT workers take advantage of existing demands for specific IT skills, such as software and mobile application development, to obtain freelance employment contracts from clients around the world, including in North America, Europe, and East Asia.’

In many cases, it says, ‘DPRK IT workers represent themselves as U.S.-based and/or non-North Korean teleworkers. The workers may further obfuscate their identities and/or location by sub-contracting work to non-North Koreans.’

It notes that while these workers are distinct from those who engage in ‘malicious cyber activity,’ they have nonetheless ‘used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions [and] there are likely instances where workers are subjected to forced labor.’

In a ‘red flag indicator’ section it states: ‘Freelance work and payment platform companies should be aware of the following activity that may be indications or behaviors of DPRK IT workers who may be using their platforms:

• Multiple logins into one account from various IP addresses in a relatively short period of time, especially if the IP addresses are associated with different countries;
• Developers are logging into multiple accounts on the same platform from one IP address;
• Developers are logged into their accounts continuously for one or more days at a time;
• Router port or other technical configurations associated with use of remote desktop sharing software, such as port 3389 in the router used to access the account, particularly if usage of remote desktop sharing software is not standard company practice;
• Developer accounts use a fraudulent client account to increase developer account ratings, but both the client and developer accounts use the same PayPal account to transfer/withdraw money (paying themselves with their own money);
• Frequent use of document templates for things such as bidding documents and project communication methods, especially the same templates being used across different developer accounts;
• Multiple developer accounts receiving high ratings from one client account in a short period, with similar or identical documentation used to establish the developer accounts and/or the client account;
• Extensive bidding on projects, and a low number of accepted project bids compared to the number of projects bids on by a developer; and
• Frequent transfers of money through payment platforms, especially to PRC-based bank accounts, and sometimes routed through one or more companies to disguise the ultimate destination of the funds.’

See the advisory at: https://home.treasury.gov/system/files/126/20220516_dprk_it_worker_advisory.pdf