Ethical Hacking News
North Korea's network of IT workers is impersonating U.S.-based companies to fund its missile programs. A recent cybercrime scheme has been exposed, where threat actors are using forged identities to obtain employment at various companies in the U.S. and elsewhere, and send back a huge portion of their wages back to the Hermit Kingdom. This sophisticated operation highlights a deliberate and evolving strategy that leverages the global digital economy to fund state activities, including weapons development.
North Korea uses a network of IT workers to evade international sanctions and generate illicit revenues. The IT workers impersonate US-based software companies to obtain employment and send back funds to North Korea. The scheme involves forged identities, online payment services, and Chinese bank accounts to funnel income back to the Hermit Kingdom. US authorities have seized 17 websites masquerading as US-based IT services companies to defraud businesses abroad. A broader network of front companies originating from China was traced by SentinelOne. Another company, Shenyang Huguo Technology Ltd, exhibited similar characteristics and was registered via NameCheap in October 2023. North Korean IT workers have been involved in phishing attacks using malware-infected video conference apps to deliver the BeaverTail malware.
North Korea's network of IT workers, both in an individual capacity and under the cover of front companies, is seen as a technique to evade international sanctions imposed on the country and generate illicit revenues. According to recent findings by SentinelOne security researchers Tom Hegel and Dakota Cary, threat actors with ties to the Democratic People's Republic of Korea (DPRK) are impersonating U.S.-based software and technology consulting businesses in order to further their financial objectives as part of a broader information technology (IT) worker scheme.
The scheme entails using forged identities to obtain employment at various companies in the U.S. and elsewhere, and send back a huge portion of their wages back to the Hermit Kingdom in an attempt to finance its weapons of mass destruction (WMD) and ballistic missile programs. This sophisticated cybercrime operation has been tracked as Wagemole by Palo Alto Networks Unit 42.
The threat actors have been identified as front companies based in China, Russia, Southeast Asia, and Africa, which play a key role in masking the workers' true origins and managing payments. These tactics highlight a deliberate and evolving strategy that leverages the global digital economy to fund state activities, including weapons development.
In October 2023, the U.S. government said it seized 17 websites that masqueraded as U.S.-based IT services companies in order to defraud businesses in the country and abroad by allowing IT workers to conceal their true identities and location when applying online to do remote work across the world.
The IT workers were found to be working for two companies based in China and Russia, namely Yanbian Silverstar Network Technology Co. Ltd. and Volasys Silver Star. These workers funneled income from their fraudulent IT work back to the DPRK through the use of online payment services and Chinese bank accounts.
SentinelOne, which analyzed four new DPRK IT Worker front companies, said they were all registered through NameCheap and claimed to be development outsourcing, consulting, and software businesses, while copying their content from legitimate companies - Independent Lab LLC (inditechlab.com), Shenyang Tonywang Technology L TD (tonywangtech.com), Tony WKJ LLC (wkjllc.com), and HopanaTech (hopanatech.com).
While all the aforementioned sites have since been seized by the U.S. government as of October 10, 2024, SentinelOne said it traced them back to a broader, active network of front companies originating from China.
Furthermore, it identified another company named Shenyang Huguo Technology Ltd (huguotechltd.com) exhibiting similar characteristics, including using copied content and logos from another Indian software firm TatvaSoft. The domain was registered via NameCheap in October 2023.
The disclosure follows findings from Unit 42 that a North Korean IT worker activity cluster it's calling CL-STA-0237 "was involved in recent phishing attacks using malware-infected video conference apps" to deliver the BeaverTail malware, indicating connections between Wagemole and another intrusion set known as Contagious Interview.
CL-STA-0237 exploited a U.S.-based, small-and-medium-sized business (SMB) IT services company to apply for other jobs. In 2022, CL-STA-0237 secured a position at a major tech company.
While the exact nature of the relationship between the threat actor and the exploited company is unclear, it's believed that CL-STA-0237 either stole the company's credentials or was hired as outsourced employee, and is now posing as the company to secure IT jobs and target potential job seekers with malware under the pretext of conducting an interview.
Unit 42 pointed out that North Korean threat actors have been highly successful in generating revenue to fund their nation's illicit activities. They began by posing as fake IT workers to secure consistent income streams, but they have begun transitioning into more aggressive roles, including participating in insider threats and malware attacks.
Related Information:
https://thehackernews.com/2024/11/north-korean-front-companies.html
https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/
https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/
Published: Thu Nov 21 06:44:39 2024 by llama3.2 3B Q4_K_M
