North Korean IT professionals seeking employment in Western computer businesses are employing sophisticated deception, including phony names, fraudulent LinkedIn accounts, forged work papers, and phony interview scripts.
According to papers examined by Reuters and an interview with a former North Korean IT worker and cybersecurity researchers, landing a job outside North Korea to surreptitiously earn hard currency for the reclusive government necessitates highly sophisticated techniques to persuade Western recruiting managers.
According to the United States, South Korea, and the United Nations, North Korea has sent thousands of IT workers outside in an effort to raise millions of dollars to fund Pyongyang’s nuclear missile program.
“People are free to express ideas and opinions,” reads one interview script used by North Korean software developers that offers suggestions for how to describe a “good corporate culture” when asked. Expressing one’s thoughts freely could be met with imprisonment in North Korea.
The 30-page scripts were uncovered by researchers at Palo Alto Networks, a U.S. cybersecurity firm that discovered a cache of internal documents online detailing the operations of North Korea’s remote IT workers.
The records include dozens of fake resumes, internet profiles, interview notes, and false identities used by North Korean workers to qualify for software development positions.
Reuters discovered more evidence in leaked dark web data that highlighted some of the tools and strategies used by North Korean laborers to persuade companies to hire them in Chile, New Zealand, the United States, Uzbekistan, and the United Arab Emirates.
The records and data show how hard North Korean authorities worked to ensure the success of a plan that has become a major source of foreign money for the cash-strapped state.
The North Korean delegation to the United Nations did not respond to a request for comment.
North Korean IT workers exploit remote opportunities
Remote IT workers can make more than ten times what a traditional North Korean laborer working overseas in construction or other manual occupations gets, according to the US Justice Department (DOJ), and teams of them can earn more than $3 million per year.
Reuters was unable to determine how much money the plan has earned over time.
Some of the scripts, which are intended to prepare employees for interview questions, include justifications for the necessity to work remotely.
“Richard”, a senior embedded software developer, said, “I (flew) to Singapore several weeks ago. My parents got COVID-19 and I (decided) to be with family members for a while. Now, I am planning to go back to Los Angeles in three months. I am thinking that I could start work remotely right now, and then I will be on board when I go back to LA.”
He examined the scripts, data, and papers and stated that it was exactly what he had been doing since he recognized the approaches and techniques employed.
“Once I was hired, I would create another fake profile to get a second job,” said the worker, who spoke on condition of anonymity, citing security concerns.
The Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) confiscated 17 website names and $1.5 million in funds from North Korean IT workers in October.
North Korean coders working at U.S. corporations used pseudonymous email and social media accounts to produce millions of dollars every year for sanctioned North Korean entities, according to the DOJ.
“There is a risk to the North Korean government, as these privileged workers are exposed to dangerous realities about the world and their country’s enforced backwardness,” said Sokeel Park of Liberty in North Korea (LINK), an organization that works with defectors.
Cash on hand
According to the US government, North Korean IT workers are primarily found in China and Russia, with others in Africa and Southeast Asia, and can make up to $300,000 per year.
According to the former IT worker’s experience, everyone is expected to earn at least $100,000, of which 30–40% is repatriated to Pyongyang, 30–60% is spent on overhead fees, and 10–30% is pocketed by workers.
He guessed that there were 3,000 more like him in the world, with another 1,000 in North Korea.
“I worked to earn foreign currency,” he told Reuters. “It differs between people, but, basically, once you get a remote job, you can work for as little as six months or as long as three to four years.”
“When you can’t find a job, you freelance.” The researchers, who are part of Palo Alto’s Unit 42 cyber research branch, made the discovery while investigating a North Korean hacking effort that targeted software developers.
According to Unit 42, one of the hackers left the papers exposed on a server, indicating that there are linkages between North Korea’s hackers and its IT professionals, although the defector stated that espionage campaigns were only for a select few: “Hackers are trained independently. “Those missions do not come to people like us,” he explained.
There is still some crossings. The Department of Justice and the FBI have warned that North Korean IT workers may use their access to hack their employers, and some of the leaked resumes indicated experience with cryptocurrency firms, a sector that North Korean hackers have long targeted.
Fraudulent identities
According to data from Constella Intelligence, an identity investigation agency, one of the workers had accounts on over 20 freelancing websites in the United States, the United Kingdom, Japan, Uzbekistan, Spain, Australia, and New Zealand.
An emailed request for comment from the worker was not returned.
Reuters discovered an account on a website providing digital templates to produce realistic-looking phony identification documents, including US driving licenses, visas, and passports, based on data gathered from leaks on the dark web.
Unit 42 discovered resumes for 14 different identities, a forged US green card, interview scripts, and proof that some workers purchased access to authentic web profiles in order to appear more genuine.
The “Richard” in Singapore looking for remote IT employment looked to be referring to a fake profile called “Richard Lee” – the same name as on the green card. The Department of Homeland Security in the United States did not respond to a request for comment.
According to Reuters, Richard Lee with an identical profile photo and experience at Jumio, a digital identity verification startup, has a LinkedIn account.
“We do not have any records of Richard Lee having been a current or former employee of Jumio,” a Jumio spokesperson said. “Jumio does not have any evidence to suggest the company has ever had a North Korean employee within its workforce.”
Reuters reached out to the LinkedIn account for comment but received no answer. Following requests for comment from Reuters, LinkedIn deleted the account.
“Our team uses information from a variety of sources to detect and remove fake accounts, as we did in this case,” a spokeswoman for the company said.