The U.S. Department of Justice (DOJ) announced Monday a sweep action targeting the North Korean Information Technology (IT) worker scheme, leading to the arrest of one individual and the seizing of 29 financial accounts, 21 fraudulent websites and around 200 computers.
The coordinated action searched 21 known or suspicious “laptop farms” in 14 US states, and used by North Korean IT workers to remotely connect to the victim network via laptop computers provided by the company.
“The North Korean actor has successfully acquired employment in over 100 US companies with the support of individuals from the US, China, the United Arab Emirates and Taiwan,” the DOJ said.
North Korea’s IT Workers Scheme has become one of the key gears in the revenue generation machine of the Democratic Republic of North Korea (DPRK). A fraudulent operation, described as a state-sponsored crime syndicate by the cybersecurity company DTEX, involves using a mixture of stolen fictional identities to acquire employment with US companies as remote IT workers.
Once they get to work, IT workers will receive regular payroll payments and have access to their own employer information, including export-controlled US military technology and cryptocurrency. In one incident, the IT worker is said to have secured employment at an unnamed Atlanta-based blockchain research and development company and stole over $900,000 in digital assets.
North Korean IT workers are a serious threat. Because they not only generate illegal income for the Hermit Kingdom through “legal” work, but also force their employers in exchange for insider access to weaponize their weapons, harvest sensitive data, steal funds, and even publish their data.
“These schemes are designed to target and steal US companies, avoid sanctions, and fund the North Korean regime’s illegal programs, including the arms program,” said Attorney General John A. Eisenberg, the department’s National Security Agency.
Last month, DOJ said it filed a civil forfeiture complaint in federal courts targeted more than $7.74 million on cryptocurrencies, inappropriate tokens (NFTS) and other digital assets linked to the Global IT Worker Scheme.
“North Korea is intended to fund the arms program by scamming American businesses and exploiting identity theft on American victims,” said Roman Rozhabski, assistant at the FBI’s anti-intellectual division. “North Korean IT workers pretending to be American citizens were able to put hundreds of millions of dollars into North Korea’s authoritarian regime, as they fraudulently acquired employment with American companies.”
In the actions announced Monday, the Chiefs include the arrest of New Jersey King “Danny” and “Danny”; The New Jersey King has been accused of communicating with US companies by committing a multi-year fraud scheme that conspires with his conspirators and conspirators, eventually generating more than $5 million in revenue.
Other individuals who participated in the scheme include six Chinese and two Taiwanese nationals –
jing bin huang (Jing Bin) baoyu zhou (Zhou Zhou Ju) tong yuze (Yongzhe Xu (and andçαyouYuan (زز®)
According to the indictment, the defendant and other co-conspirators violated the identities of more than 80 US individuals to obtain remote jobs at more than 100 US companies between 2021 and October 2024. Discuss schemes with overseas co-conspirators and IT workers.
To make remote workers think they are based in the US, Wang et al received and hosted laptops issued by the company at Residences, and used KVM (short for “keyboard-video mouse”) switches like Pikvm and Tinypilot to enable North Korean threat actors to connect to these devices.
“Kejia Wang and Zhenxing Wang have also set up shell companies with corresponding websites and financial accounts, such as Hopana Tech LLC, Tony WKJ LLC and Independent Lab LLC, making it seem like overseas IT workers belong to legitimate US operations,” DOJ said. “Kejia Wang and Zhenxing Wang established these and other financial accounts to receive money from victimized US companies, many of which were subsequently handed over to overseas co-conspirators.”
In return for these services, Wang and his co-conspirators are estimated to have received more than $696,000 from IT workers.
Separately, the Northern Georgia district has sealed five counts of wire fraud and money laundering charges claiming five North Korean nationals, Kim Kwang Jin, Kang Tae Bok, Jong Bong Joo and Jang Nam Il.
Court documents allege that the defendant traveled to the United Arab Emirates in North Korean documents in October 2019 and worked together as a team. Between December 2020 and May 2021, Kim Kwan Jin and Jong Bong Joo were hired as developers by blockchain companies and Serbian virtual token companies, respectively. The Serbian company then hired Jang Nam Il and acted on the recommendation of Jong Bong Joo.
After Kim Kwang Jin and Jong Pong Ju were given the trust of their employers and were assigned a project to grant access to the company’s crypto assets, threat actors began stealing their assets in February and March 2022.
The stolen proceeds were then washed using a cryptocurrency mixer and eventually transferred to cryptocurrency exchange accounts managed by Kang Tae Bok and Chang Nam Il. According to the DOJ, these accounts were opened using malaysian illicit identification documents.
“These arrests are a powerful reminder that the threat posed by DPRK IT workers is beyond revenue generation,” Michael “Barni” Burnhart, DTEX principal I3 insider risk investigator, told Hacker News in a statement. “When they enter, they can engage in malicious activities from within their trustworthy networks, poses serious risks to national security and businesses around the world.”
“U.S. Government Action […] It is absolutely top notch and an important step to disrupt this threat. DPRK actors use front companies and trusted third parties to slip past past traditional employment protection measures, including observed cases of sensitive sectors such as the government and the defence industry foundation. Organizations need to reassess their trust across a talented pipeline, beyond the applicant portal, as the threat is adapted as we do. ”
Microsoft suspends 3,000 email accounts tied to IT workers
Since 2020, Microsoft, which has been tracking the threat of IT workers under Moniker’s Jasper Sleet (formerly Storm-0287), said it has suspended 3,000 known outlook/hotmail accounts created by threat actors as part of a broader effort to disrupt North Korea’s cyber operations. Activity clusters are also tracked as nickel tapestry, Wagemole, and UNC5267.
Worker fraud schemes start by setting their identity to match the geographical layout of the target organization, then digitally embodied via social media profiles and manufactured portfolios, giving personas a veneer of legitimacy on developer-oriented platforms like GitHub.
The tech giant has called for the exploitation of AI (AI) tools for IT workers, improving the reliability of their employment profiles and revising their voices to make them look more authentic to employers. It has also been discovered that IT workers will set up fake profiles on requestdans, communicate with recruiters and apply for employment.
“These highly skilled workers are mostly located in North Korea, China and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools to capture accomplices to hide their location and identity.”
Another notable tactic for Jasperyed revolves around posting facilitator job ads under the guise of remote job partnerships to help IT workers secure employment, pass identity checks and work remotely. As their relationship with facilitators grows, they may also be tasked with creating a bank account for IT workers, or purchasing a mobile number or SIM card.
Additionally, Witting’s accomplices are responsible for verifying the fake identity of IT workers during the employment verification process using an online background check service provider. Documents submitted include a fake or stolen driver license, Social Security card, passport, and resident resident identification.
As a way to combat threats, Microsoft said it has developed a custom machine learning solution with its own threat intelligence that allows it to view suspicious accounts showing known DPRK tradecraft and known DPRK tradecraft for subsequent actions.
“North Korea’s fraudulent remote worker scheme has since evolved and established itself as a well-developed business that allowed remote North Korean workers to infiltrate technology-related roles in a variety of industries,” Redmond said. “In some cases, victim organizations even report that remote IT workers are some of the most talented employees.”
Source link
