North Korean IT Workers Exploiting GitHub to Attack Organizations Worldwide

A sophisticated network of suspected North Korean IT workers has been discovered leveraging GitHub to create false identities and secure remote employment opportunities in Japan and the United States.

These operatives pose as Vietnamese, Japanese, and Singaporean professionals, primarily targeting engineering and blockchain development positions.

Their ultimate objective appears to be generating foreign currency to support North Korea’s ballistic missile and nuclear programs.

The elaborate scheme involves repurposing and enhancing existing GitHub accounts to establish technical credibility while deliberately avoiding social media presence that might expose their true identities.

At least two of these personas have successfully infiltrated small companies, raising concerns about the extent of this operation and the potential security implications.

Rewterz researchers identified consistent patterns among these DPRK-affiliated workers, noting they typically claim expertise in web and mobile app development, multiple programming languages, and blockchain technology.

Their research uncovered email addresses containing recurring elements such as “116” and “dev,” which helped connect various personas to a coordinated network.

Investigation revealed sophisticated GitHub manipulation techniques where accounts fabricate contribution histories through co-authored commits with previously identified DPRK-linked profiles.

For example, the account “nickdev0118” was discovered collaborating with “AnacondaDev0120,” another suspected North Korean profile, revealing their coordinated activities.

Technical Indicators of Compromise

The most compelling case study involves “Huy Diep” (also known as “HuiGia Diep”), who secured a software engineering position at Japanese company Tenpct Inc. Analysis of his GitHub repositories showed common characteristics with other DPRK-linked accounts, including repository naming conventions and commit timing patterns.

Investigators found evidence of digital manipulation where the persona’s face was superimposed onto stock photos to create an illusion of professional legitimacy.

Companies are urged to implement stronger verification processes for remote developers by scrutinizing GitHub histories for unnatural activity patterns, analyzing repository creation dates, and conducting live coding tests rather than relying solely on portfolio submissions.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free