Reuters on Tuesday published a disturbing expose of how thousands of North Koreans have been able to land jobs with foreign tech companies using fake names, phony profiles on services like LinkedIn, and interview scripts tailored to make them sound like they are not the subjects of a psychotic Communist tyranny.
On Wednesday, the Justice Department confirmed a major investigation of the scheme has been in progress for some time.
There was an element of dark comedy to the Reuters report, which made it sound fairly easy for dictator Kim Jong-un’s serfs to bamboozle Western human resources departments into thinking they were legitimate job applicants from free countries.
For example, reporters got their hands on a canned interview script that told North Koreans to say things like “People are free to express ideas and opinions!” to interviewers, telling them exactly what they wanted to hear about healthy “corporate culture.” The scripts included a variety of prepared excuses for why the disguised North Korean applicant needed to work remotely.
Combined with convincing fake resumes and doctored social media profiles, such tactics were good enough to defeat the vetting process at countless information technology companies.
The interview scripts were uncovered by an American cybersecurity firm called Palo Alto Networks, which was investigating a scheme by hackers to trick software companies into installing malware on their systems by posing as job applicants. Palo Alto’s researchers dubbed this tactic “Contagious Interview.”
Contagious Interview attacks typically begin with phony job applicants persuading employers to interview them online, using a video conferencing platform of the hacker’s choice, usually the popular collaboration platform GitHub. Employers who accepted the offer found themselves downloading malware packages disguised as “click here to connect” software.
Some of the Contagious Interview hackers were also reportedly able to persuade prospective employers to download and install software they had written, to evaluate the quality of their coding work. In both scenarios, the unwitting employee allowed the hackers to open back doors into their systems for further mischief.
A review of the infrastructure created to support the Contagious Interview campaign, which is still an active threat, suggested it was designed and sponsored by the government of North Korea.
In the course of conducting this investigation, Palo Alto Networks found another North Korean program dubbed “Wagemole” that was even stranger and more ambitious. Wagemole involved disguised North Koreans actually accepting jobs with American, European, and Asian companies and working remotely, as has become more common since the Wuhan coronavirus pandemic.
The cybersecurity sleuths discovered a “trove of information” used in the Wagemole campaign, including “resumes with different technical skill sets and multiple identities impersonating individuals from various nations,” plus “common job interview questions and answers, scripts for interviews and downloaded job postings from U.S. companies.”
Palo Alto Networks found a cache of data accidentally left unsecured by a North Korean hacker that included “resumes for 14 identities, a forged U.S. green card, interview scripts, and evidence that some workers had bought access to legitimate online profiles in order to appear more genuine.”
North Korean leader Kim Jong-un and his daughter inspect the site of a missile launch at Pyongyang International Airport in Pyongyang, North Korea, Friday, Nov. 18, 2022. (Korean Central News Agency/Korea News Service via AP)
Researchers could not determine if Wagemole operatives were planting malware in their employers’ systems or stealing intellectual property, but it seemed clear that a hefty portion of their salaries was seized by the regime in Pyongyang for its own use, including funding for its illegal nuclear missile program.
A North Korean IT worker who participated in the Wagemole scheme told Reuters he and his comrades were expected to land jobs paying at least $100,000 a year. The Communist regime skimmed at least 30 percent of their wages off the top, then billed them up to 60 percent more for “expenses,” leaving the workers to keep ten to 30 percent of their income — which is still a lot more than they could earn in North Korea.
“I worked to earn foreign currency. It differs between people but, basically, once you get a remote job you can work for as little as six months, or as long as three to four years. When you can’t find a job, you freelance,” he said.
Reuters said it discovered “further evidence in leaked darkweb data” that North Koreans have fraudulently secured jobs in “Chile, New Zealand, the United States, Uzbekistan, and the United Arab Emirates.” A security firm called Constella Intelligence found one North Korean who had active accounts at more than 20 different websites for IT freelance workers.
The obvious risk for North Korea was that dispatching its captive citizens to work for foreign tech firms could expose them to challenging ideas or forbidden news, but the North Korean who spoke to Reuters said that risk was mitigated with extensive training and monitoring.
The U.S. Department of Justice (DOJ) announced on Wednesday that “thousands” of IT workers contracted with American companies sent “millions of dollars of their wages to North Korea for use in its ballistic missile program.”
At a news conference in St. Louis, FBI officials said some of North Korea’s IT workers are actually operating out of China and Russia, “with the goal of deceiving businesses from the U.S. and elsewhere into hiring them as freelance remote employees.” This presumably helps them evade security precautions that might spot emails and online connections emanating from North Korea.
FBI Special Agent in Charge Jay Greenberg said some of the North Koreans took the extra step of “paying Americans to use their home Wi-Fi connections” to fool employers.
According to Greenberg, every U.S. company that hires freelance IT workers has “more than likely” hired at least one disguised North Korean.
“At a minimum, the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities,” he said.
DOJ said 17 domain names and $1.5 million in funds have been seized as part of the investigation.
The Associated Press (AP) pointed to evidence the U.S. government has been aware of the North Korean scheme since long before Palo Alto Networks uncovered its data troves, pointing to State and Treasury Department warnings from as far back as May 2022 that North Koreans were trying to “obtain employment while posing as non-North Korean nationals.”
Cybersecurity expert John Hultquist of Mandiant said the scheme was launched at least a decade ago but kicked into a much higher gear after the coronavirus pandemic.
“I think the post-COVID world has created a lot more opportunity for them because freelancing and remote hiring are a far more natural part of the business than they were in the past,” Hultquist told the AP.