By Maria de Almeida, HRNK Research Intern Edited by Diletta De Luca, HRNK Research Associate Introduction: North Korea’s Cyber Operations
North Korea has increasingly relied on sophisticated cyber operations to evade international sanctions and fund its nuclear and missile programs. The regime employs thousands of IT workers abroad under false identities, exploiting the global IT outsourcing market to generate income through illicit means.[1] These cyber activities date back to the 1991 Gulf War, leading to the establishment of organizations like the Reconnaissance General Bureau and Bureau 121, which conduct cyber espionage and theft.[2] As a result, cybercrime has become a crucial revenue source, with North Korean hackers reportedly stealing up to $2 billion, operating anonymously and effectively to support the regime's military ambitions.[3] Growing Technological Proficiency & The Mechanisms of Deception The growth of cybercrimes and the use of IT workers have profoundly transformed the country’s education and economic system with a heavy focus on information technology. Post-secondary institutions in North Korea have more than 300 graduates yearly who specialize in hacking, cyber warfare, and other technological proficiency.[4] They are sent abroad by officers of units such as Bureau 121 to countries with less stringent enforcement of international sanctions, such as China, Russia, or Southeast Asian nations. By operating from these locations, they can conduct cyber operations, including hacking financial institutions or cryptocurrency exchanges, without drawing immediate attention from international authorities. They often also use VPNs and residential proxies to obscure their locations, making it difficult for companies to detect their IP addresses.[5] Additionally, they resort to various deceptions to establish credibility, such as forging documents and identities, creating fake professional profiles on platforms like LinkedIn, and hiring nationals to pose as them in interviews and meetings.[6][7] Their mode of operation is part of a larger strategy of using social engineering, loopholes in the financial system and showy cyber-attacks. Thus, the quality of work produced by North Korean IT professionals is constantly improving, leading to their growing reputation in the global market.[8] Furthermore, the COVID-19 pandemic and the shift to remote work facilitated the hiring of North Korean workers abroad, especially in China and Russia. In recent months, North Koreans have used advanced coding languages and AI images, stolen identities, and other digital ruse tactics to gain employment, access to company data, and infiltrate the networks of Western targets.[9][10] In other words, their tech capabilities are dynamic and adaptable to a changing cyberspace. Therefore, as the DPRK's cyber capabilities continue to improve, so does the threat landscape internationally, leading to new and complex challenges for international security. North Korea’s Objectives 1. Revenue Generation Strategy North Korea's deployment of IT workers is driven by a strategic need to generate revenue in the face of crippling international sanctions. For several years now, North Korea has been shut out of traditional sources of hard currency earnings, most of all the weapons sales that have financed its military capability.[11] The regime turned to the global IT outsourcing market to compensate for this shortfall. As early as 2015, the remote work model has been used by North Korea to infiltrate companies across the world – with reports from the South Korean and U.S suggesting that thousands of North Korean IT workers are now deployed worldwide, many of whom bring in more than $300,000 each annually by securing employment under false identities.[12] As the IT market is expected to surpass $500 billion by 2024,[13] it is little wonder that the DPRK's pandering to military ambitions – its nuclear weapons and missile programmes – have been firmly underpinned by the flow of hard currency. 2. Access to Sensitive Information & Potential for Extortion The implications of North Korea's access to sensitive information are significant. The regime's attention to accessing critical information is reflected in its targeting of the defence, pharmaceutical and technology sectors. In 2016, North Korean hackers compromised the South Korean Defense Integrated Data Center, stealing 234 gigabytes of classified military documents, such as war plans.[14] Such intelligence improves North Korea's defence posture by offering insights into its adversaries' contingencies. Likewise, the regime has sought information on nuclear technologies. In 2019, the Kimsuky hacking group breached the network of a nuclear power plant in Kundakulam, India, to obtain proprietary information on reactors based on thorium, an element widely found in North Korea.[15] These activities show that its workers often focus on obtaining information related to countries' national security that can benefit North Korea's military strategies. The ability to extort can be particularly acute, as they also have access to critical company systems. Targeting banks through cryptocurrency exchanges emphasizes the decentralized nature of cryptocurrency – it is difficult to trace and can often be quickly converted into other forms of cash.[16] The FBI reported cases where North Korean workers, after being discovered and fired, had threatened companies with extortion, leveraging the access they had to high-value code or critical systems.[17] This kind of ransomware is potentially even more pernicious, combining established criminal playbooks with the unique capabilities that come with their outsider positions.[18] The Advantages of the IT Market 1. Low Detection Risk One reason that North Korean cyber operations pose a low detection risk is that IT workers have been sent overseas by the regime for conducting cyber operations in a manner meant to give the impression that they are foreign nationals. By operating from territory outside of the Korean Peninsula, North Korean hackers can originate attacks that do not clearly implicate their country, making attribution and investigation of threats to both the private sector and law-enforcement agencies substantially more challenging.[19] One common deceptive tactic is using proxy servers and other infected networks in third countries so that hackers can perform attacks through a third party and obscure their fingerprints. This further complicates legal jurisdiction issues as it creates ambiguity regarding which nation's laws apply to the cyber activities being conducted. This obfuscation makes it challenging for law enforcement agencies to pursue legal action, as the attacks may originate from a location that does not have clear ties to the perpetrators or may not cooperate with investigations.[20] For example, in the 2016 Bangladesh Bank hack, North Korean hackers made unauthorized transactions in the SWIFT system using multiple international servers, and they could hide behind other countries’ networks.[21] North Korean operatives also probe global cybersecurity vulnerabilities. Countries with weaker defence systems, such as those from Southeast Asia, much of Africa, and Latin America, are easy targets for penetrating other countries.[22][23] Tracing hacking back to these developing countries is remains challenging, serving as North Korean “safe space” for cyber operations. North Korean hackers reportedly operate from China and Russia, too. In these cases, the operatives can blend into local populations and exploit less developed cybersecurity infrastructures.[24] 2. Facilitation by Foreigner Individuals A key component of North Korea’s cybercrimes involves foreign nationals, who knowingly or unknowingly help North Korean operatives obtain jobs and access sensitive corporate networks. Such facilitators are able to get around security measures designed to prevent foreign workers from being hired, such as creating fabricated national addresses where shipping company equipment can be delivered and where infrastructure can be established to make it appear as though the North Koreans are working from inside the country, creating national based bank accounts for payroll purposes, helping with job searches and using stolen or forged I.D.s, and even attending virtual interviews with prospective employers on North Korean workers’ behalf to obscure their identities.[25][26] One example in the U.S. involved a ‘laptop farm’ – a deployment of computers rented by North Korean workers from the U.S. that served as their employees’ network connections. Others are involved in creating fake identities on US-based freelancer sites and winning lucrative ‘gigs’ from the U.S. In all these cases, the key ingredient of North Korean success against the U.S. was US-based facilitators, many of whom were motivated by ideology or a fundamental lack of sophistication in differentiating between good and evil.[27][28] 3. Cryptocurrency as a Target and Tool North Korea's IT workers play a crucial role in the regime's financial operations, strategically allocating and moving funds through cryptocurrencies. These digital currencies have become the most important international currency for the regime, enabling workers to get paid and facilitating the shift of cash around them, a process that confounds international investigators. The regime then recycles the money to finance its own development programmes, weapons of mass destruction, and military programmes.[29] The Human Rights Abuses The broader context of these cyber operations is deeply rooted in North Korea's systematic human rights abuses. Although there are little to no sources of the specific abuses IT workers endure, there is much on the overall exploitation of North Korean workers.[30] They are simultaneously depicted as valuable contributors to the global economy and as victims of exploitation and coercion, as well as of the paternalistic regime that confines them. DPRK’s workers experience forced labour, unfair working conditions and psychological or emotional damage, all under the control of the Kim regime.[31] Perhaps the most flagrant abuse is their condition as forced labourers. Workers might be sent abroad coercively, and their suitability for the work assigned is based on personal connections and loyalty to the regime rather than professional qualifications. Those who refuse or try to escape face persecution, imprisonment or even execution for treason.[32] Besides working for long hours and living in harsh conditions, a substantial percentage of their earnings is never received as they are sent directly to the government, further cementing the workers’ dependence on the regime, and funding the regime’s choice of priorities – including its nuclear weapons programme.[33] The psychological burden is high, with a prevalence of mental health issues due to the secretive nature of their job, which puts them on the edge of fear regarding being outed as defectors. Isolation and the absence of supportive networks have the effect of intensifying emotional distress and inducing a sense of hopelessness.[34] Exacerbating their situation is the fact that North Korean workers abroad are often not legally registered in the countries where they work, or they are employed in nations that do not adhere to international labor standards, such as China and Russia. As a result, these workers lack any real legal recourse in the face of mistreatment or abuse. Even when local officials are aware of these violations, they may be bribed to turn a blind eye.[35] Additionally, North Korean workers tend to remain secretive and have no viable means to report labor or human rights violations to local authorities.[36] Thus, a lack of legal redress creates a culture of impunity. Broader Impacts for Business and Global Cybersecurity North Korea’s infiltration of IT workers into global businesses poses significant cybersecurity risks, including data theft, intellectual property theft, ransomware attacks, and potential control over critical infrastructure. Companies employing these operatives, knowingly or unknowingly, face legal liabilities, severe fines, and reputational damage for violating sanctions.[37][38] This highlights the need for rigorous identity verification, employment vetting, and compliance with regulations through due diligence and proper training. Additionally, North Korea’s tactics expose broader vulnerabilities in global cybersecurity, potentially inspiring similar actions by other malicious actors. The corruption of trust and security has global ramifications. If a business computer is hacked on the other side of the world, the ramifications can cascade through its supply chains and erode customer trust everywhere. The shift to remote work has intensified these risks, as companies often prioritize speed over thorough vetting, allowing North Korean operatives to exploit gaps in security.[39] Mitigating the Threat To mitigate the risks of hiring North Korean IT workers, companies should adopt a comprehensive security strategy that includes layers of counterintelligence checks, identity verification during recruitment and onboarding, educating HR staff on threats, and fostering a culture of vigilance.[40][41] Critical measures include monitoring networks for unusual activity, auditing third-party staffing practices, and staying informed about advisories from government agencies. In response, South Korea, Japan, and the U.S have committed to intelligence sharing and the creation of senior-level working groups for consultation and coordination on cyber-related matters.[42] Coordinated sanctions targeting North Korean entities and individuals engaging in cybercriminal activities have also been issued by the U.S., with E.U.[43] Finally, enhancing public-private partnerships to bolster business defences and investing in robust cybersecurity infrastructure will further support these efforts. Developing comprehensive legal frameworks and fostering cybersecurity awareness are essential components of a broader strategy to address and deter cyber threats. Overall, these countermeasures reflect a multifaceted approach that combines enhanced cybersecurity protocols, international collaboration, and targeted legislation to address and mitigate the risks posed by North Korean cyber operations. Conclusion North Korea's strategic deployment of IT workers abroad has emerged as a pivotal component of its cyber operations, enabling the regime to circumvent international sanctions and fund its military ambitions, particularly in nuclear and missile development. By leveraging sophisticated cyber tactics, including deception and the exploitation of global IT markets, North Korean operatives have successfully infiltrated companies worldwide, posing significant risks to cybersecurity and ethical business practices. The intersection of human rights abuses forced labour, and the moral implications of outsourcing to North Korean workers underscores the complexity of this issue. As the threat landscape evolves, businesses must adopt robust security measures, enhance due diligence, and foster international cooperation to mitigate the risks posed by North Korean cyber activities. Addressing these challenges requires a concerted effort from governments, businesses, and civil society to ensure that the pursuit of economic opportunities does not come at the expense of human rights and global security. Bibliography Caesar, Ed. “The Incredible Rise of North Korea’s Hacking Army.” The New Yorker, April 19, 2021. https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army. Chafetz, Glenn. “Fox in the Henhouse: The Growing Harms of North Korea’s Remote It Workforce.” – The Diplomat, May 21, 2024. https://thediplomat.com/2024/05/fox-in-the-henhouse-the-growing-harms-of-north-koreas-remote-it-workforce/. Corera, Gordon. “North Korea Hackers Trying to Steal Nuclear Secrets- US, UK Warn.” BBC News, July 25, 2024. https://www.bbc.com/news/articles/cjl6p3wj52no. Federal Bureau of Investigation. “Democratic People’s Republic of Korea Leverages U.S.-Based Individuals to Defraud U.S. Businesses and Generate Revenue.” Public Service Announcement, May 16, 2024. https://www.ic3.gov/Media/Y2024/PSA240516. Gao, Jie. Hardening the Shield Against North Korea’s “All-Purpose Sword”: An Evolving North Korean Cyber Threat and Its Policy Responses. Georgetown: Georgetown Center for Security Studies. http://hdl.handle.net/10822/1086540. Greig, Jonathan. “US Offers $5 Million for Info on North Korean It Workers Involved in Job Fraud.” Cyber Security News | The Record, May 16, 2024. https://therecord.media/north-korea-it-workers-accused-money-laundering-5million-reward. The Internal Revenue Servic. “Charges and Seizures Brought in Fraud Scheme Aimed at Denying Revenue for Workers Associated with North Korea.” Internal Revenue Service, May 16, 2024.https://www.irs.gov/compliance/criminal-investigation/charges-and-seizures-brought-in-fraud-scheme-aimed-at-denying-revenue-for-workers-associated-with-north-korea. Joe.smith. “Italian Animation Studio to Pay $538K Fine for Outsourcing Work to North Korea: NK News.” NK News - North Korea News, June 27, 2024. https://www.nknews.org/2024/06/italian-animation-studio-to-pay-538k-fine-for-outsourcing-work-to-north-korea/. Legare, Robert. “U.S. Citizen Accused of Conspiring with North Korean It Workers to Infiltrate 300 U.S. Companies and Get Remote Tech Jobs, Feds Say.” CBS News, May 16, 2024. https://www.cbsnews.com/news/u-s-citizen-north-korean-it-workers-infiltrate-u-s-companies-remote-tech-jobs/. Lyngaas, Sean. “Tennessee Man Arrested for Allegedly Using It Worker Scheme to Raise Money for North Korea’s Weapons Program | CNN Politics.” CNN, August 8, 2024. https://edition.cnn.com/2024/08/08/politics/north-korea-fraud-tennessee-man-arrested/index.html. Marlow, Iain. “North Koreans Worked Remotely for US Firms to Fund Missiles.” Bloomberg.com, May 16, 2024. https://www.bloomberg.com/news/articles/2024-05-16/north-koreans-worked-remotely-for-us-firms-to-fund-missiles?embedded-checkout=true. Nah, Liang Tuang. “North Korean Hackers: Vigilance Against Better Than Underestimation Of.” North Korean Review 19, no. 1 (2023): 91–98. https://www.jstor.org/stable/27217098. Park, Bora. “A Way Forward to Counter North Korea’s Evolving Cyber Threats.” A Way forward to Counter North Korea’s Evolving Cyber Threats, November 27, 2023. https://www.globalnk.org/commentary/view?cd=COM000129. Weisensee, Nils. “North Korean Hacker Masquerades as It Worker in Elaborate Infiltration Attempt.” NK News - North Korea News, July 24, 2024. https://www.nknews.org/2024/07/north-korean-hacker-masquerades-as-it-worker-in-elaborate-infiltration-attempt/. Wilson, Tom. “Exclusive: North Korean Hackers Sent Stolen Crypto to Wallet Used by Asian Payment Firm | Reuters.” Exclusive: North Korean hackers sent stolen crypto to wallet used by Asian payment firm, July 15, 2024. https://www.reuters.com/technology/cybersecurity/north-korean-hackers-sent-stolen-crypto-wallet-used-by-asian-payment-firm-2024-07-15/. Human Rights Watch, “World Report 2024: North Korea.” 2024. https://www.hrw.org/world-report/2024/country-chapters/north-korea. Yong, Lee Sang. “North Korean Workers Abroad Can’t Escape the Regime’s Human Rights Abuses.” – The Diplomat, March 14, 2024. https://thediplomat.com/2024/03/north-korean-workers-abroad-cant-escape-the-regimes-human-rights-abuses/. [1]Bora Park, “A Way Forward to Counter North Korea’s Evolving Cyber Threats,” Global NK, November 27, 2023, https://www.globalnk.org/commentary/view?cd=COM000129. [2]Ibid. [3]Ibid. [4] Park, “A Way Forward to Counter North Korea’s Evolving Cyber Threats.” [5] Jonathan Greig, “US Offers $5 Million for Info on North Korean It Workers Involved in Job Fraud,” The Record, May 16, 2024, https://therecord.media/north-korea-it-workers-accused-money-laundering-5million-reward. [6] Robert Legare, “U.S. Citizen Accused of Conspiring with North Korean It Workers to Infiltrate 300 U.S. Companies and Get Remote Tech Jobs, Feds Say,” CBS News, May 16, 2024, https://www.cbsnews.com/news/u-s-citizen-north-korean-it-workers-infiltrate-u-s-companies-remote-tech-jobs/. [7] Iain Marlow, “North Koreans Worked Remotely for US Firms to Fund Missiles,” Bloomberg.com, May 16, 2024, https://www.bloomberg.com/news/articles/2024-05-16/north-koreans-worked-remotely-for-us-firms-to-fund-missiles?embedded-checkout=true. [8] Marlow, “North Koreans Worked Remotely for US Firms to Fund Missiles.” [9] Nils Weisensee, “North Korean Hacker Masquerades as It Worker in Elaborate Infiltration Attempt,” NK News, July 24, 2024, https://www.nknews.org/2024/07/north-korean-hacker-masquerades-as-it-worker-in-elaborate-infiltration-attempt/. [10] Glenn Chafetz, “Fox in the Henhouse: The Growing Harms of North Korea’s Remote It Workforce,” The Diplomat, May 21, 2024, https://thediplomat.com/2024/05/fox-in-the-henhouse-the-growing-harms-of-north-koreas-remote-it-workforce/. [11] Chafetz, “Fox in the Henhouse.” [12] Greig, “US Offers $5 Million for Info on North Korean It Workers [13] Chafetz, “Fox in the Henhouse.” [14] Ibid. [15] Ibid. [16] Chafetz, “Fox in the Henhouse.” [17] Ibid. [18] Ibid. [19] The Internal Revenue Service, “Charges and Seizures Brought in Fraud Scheme Aimed at Denying Revenue for Workers Associated with North Korea,” May 16, 2024, https://www.irs.gov/compliance/criminal-investigation/charges-and-seizures-brought-in-fraud-scheme-aimed-at-denying-revenue-for-workers-associated-with-north-korea. [20] Ibid. [21] Gao, “Hardening the Shield Against North Korea’s.” [22] Chafetz, “Fox in the Henhouse.” [23] Tom Wilson, “Exclusive: North Korean Hackers Sent Stolen Crypto to Wallet Used by Asian Payment Firm | Reuters,” Reuters, July 15, 2024, https://www.reuters.com/technology/cybersecurity/north-korean-hackers-sent-stolen-crypto-wallet-used-by-asian-payment-firm-2024-07-15/. [24] Chafetz, “Fox in the Henhouse.” [25] The Internal Revenue Service, “Charges and Seizures Brought in Fraud Scheme.” [26] Legare, “U.S. Citizen Accused of Conspiring with North Korean It Workers.” [27] The Internal Revenue Service, “Charges and Seizures Brought in Fraud Scheme.” [28] Sean Lyngaas, “Tennessee Man Arrested for Allegedly Using It Worker Scheme to Raise Money for North Korea’s Weapons Program,” CNN, August 8, 2024, https://edition.cnn.com/2024/08/08/politics/north-korea-fraud-tennessee-man-arrested/index.html. [29] Wilson, “Exclusive: North Korean Hackers Sent Stolen Crypto.” [30] Human Rights Watch, “World Report 2024: North Korea,” 2024, https://www.hrw.org/world-report/2024/country-chapters/north-korea. [31] Caesar, “The Incredible Rise of North Korea’s Hacking Army.” [32] Human Rights Watch, “World Report 2024: North Korea.” [33] Ibid. [34] Caesar, “The Incredible Rise of North Korea’s Hacking Army.” [35] Lee Sang Yong, “North Korean Workers Abroad Can’t Escape the Regime’s Human Rights Abuses,” – The Diplomat, March 14, 2024, https://thediplomat.com/2024/03/north-korean-workers-abroad-cant-escape-the-regimes-human-rights-abuses/. [36] Human Rights Watch, “World Report 2024: North Korea.” [37] Federal Bureau of Investigation, “Democratic People’s Republic of Korea Leverages U.S.-Based Individuals to Defraud U.S. Businesses and Generate Revenue,” May 16, 2024, https://www.ic3.gov/Media/Y2024/PSA240516. [38] Gordon Corera, “North Korea Hackers Trying to Steal Nuclear Secrets- US, UK Warn,” BBC News, July 25, 2024, https://www.bbc.com/news/articles/cjl6p3wj52no. [39] Legare, “U.S. Citizen Accused of Conspiring with North Korean It Workers.” [40] Chafetz, “Fox in the Henhouse.” [41] Federal Bureau of Investigation, “Democratic People’s Republic of Korea Leverages.” [42] Tuang. “North Korean Hackers.’ [43] Corera, “North Korea Hackers.”
0 Comments
|
DedicationHRNK staff members and interns wish to dedicate this program to our colleagues Katty Chi and Miran Song. Categories
All
Archives
October 2024
Categories
All
|