Threat actors with ties to the Democratic People’s Republic of Korea (DPRK) are impersonating U.S.-based software and technology consulting businesses in order to further their financial objectives as part of a broader information technology (IT) worker scheme.
“Front companies, often based in China, Russia, Southeast Asia, and Africa, play a key role in masking the workers’ true origins and managing payments,” SentinelOne security researchers Tom Hegel and Dakota Cary said in a report shared with The Hacker News.
North Korea’s network of IT workers, both in an individual capacity and under the cover of front companies, is seen as a technique to evade international sanctions imposed on the country and generate illicit revenues.
The global campaign, which is also tracked as Wagemole by Palo Alto Networks Unit 42, entails using forged identities to obtain employment at various companies in the U.S. and elsewhere, and send back a huge portion of their wages back to the Hermit Kingdom in an attempt to finance its weapons of mass destruction (WMD) and ballistic missile programs.
In October 2023, the U.S. government said it seized 17 websites that masqueraded as U.S.-based IT services companies in order to defraud businesses in the country and abroad by allowing IT workers to conceal their true identities and location when applying online to do remote work across the world.
The IT workers were found to be working for two companies based in China and Russia, namely Yanbian Silverstar Network Technology Co. Ltd. and Volasys Silver Star.
“These IT workers funneled income from their fraudulent IT work back to the DPRK through the use of online payment services and Chinese bank accounts,” the U.S. Department of Justice (DoJ) noted at the time.
SentinelOne, which analyzed four new DPRK IT Worker front companies, said they were all registered through NameCheap and claimed to be development outsourcing, consulting, and software businesses, while copying their content from legitimate companies –
- Independent Lab LLC (inditechlab[.]com), which copied its website format from a U.S.-based company called Kitrum
- Shenyang Tonywang Technology L TD (tonywangtech[.]com), which copied its website format from a U.S.-based company called Urolime
- Tony WKJ LLC (wkjllc[.]com), which copied its website format from an India-based company called ArohaTech IT Services
- HopanaTech (hopanatech[.]com), which copied its website format from a U.S.-based company called ITechArt
While all the aforementioned sites have since been seized by the U.S. government as of October 10, 2024, SentinelOne said it traced them back to a broader, active network of front companies originating from China.
Furthermore, it identified another company named Shenyang Huguo Technology Ltd (huguotechltd[.]com) exhibiting similar characteristics, including using copied content and logos from another Indian software firm TatvaSoft. The domain was registered via NameCheap in October 2023.
“These tactics highlight a deliberate and evolving strategy that leverages the global digital economy to fund state activities, including weapons development,” the researchers said.
“Organizations are urged to implement robust vetting processes, including careful scrutiny of potential contractors and suppliers, to mitigate risks and prevent inadvertent support of such illicit operations.”
The disclosure follows findings from Unit 42 that a North Korean IT worker activity cluster it’s calling CL-STA-0237 “was involved in recent phishing attacks using malware-infected video conference apps” to deliver the BeaverTail malware, indicating connections between Wagemole and another intrusion set known as Contagious Interview.
“CL-STA-0237 exploited a U.S.-based, small-and-medium-sized business (SMB) IT services company to apply for other jobs,” the company said. “In 2022, CL-STA-0237 secured a position at a major tech company.”
While the exact nature of the relationship between the threat actor and the exploited company is unclear, it’s believed that CL-STA-0237 either stole the company’s credentials or was hired as outsourced employee, and is now posing as the company to secure IT jobs and target potential job seekers with malware under the pretext of conducting an interview.
“North Korean threat actors have been highly successful in generating revenue to fund their nation’s illicit activities,” Unit 42 said, pointing out that the cluster likely operates from Laos.
“They began by posing as fake IT workers to secure consistent income streams, but they have begun transitioning into more aggressive roles, including participating in insider threats and malware attacks.”