Sophisticated Subterfuge: North Korean IT Workers Using Fake Names and Counterfeit Documents to Get Hired
North Korean IT workers seeking employment in Western tech companies have been resorting to elaborate tactics to secure jobs, according to documents reviewed by Reuters, interviews with a former North Korean IT worker, and cybersecurity researchers. These strategies include using fake names, sham LinkedIn profiles, counterfeit work papers, and mock interview scripts.
The North Korean regime has been dispatching thousands of IT workers overseas in recent years to generate funds for its nuclear missile program, according to the United States, South Korea, and the United Nations. To convince Western hiring managers, North Korean IT workers rely on carefully crafted scripts that offer suggestions on how to describe a “good corporate culture” and emphasize the freedom to express ideas and opinions, a luxury that could lead to imprisonment in their home country.
Researchers at Palo Alto Networks, a US cybersecurity firm, uncovered 30 pages of interview scripts used by North Korean software developers, as well as fraudulent resumes, online profiles, interview notes, and forged identities. Further evidence of their deceptive tactics was found in leaked darkweb data, which revealed the tools and techniques employed by North Korean workers to secure jobs in various countries, including Chile, New Zealand, the United States, Uzbekistan, and the United Arab Emirates.
These documents and data shed light on the extensive effort and subterfuge employed by North Korean authorities to ensure the success of their scheme, which has become a crucial source of foreign currency for the cash-strapped regime. Remote IT workers can earn more than ten times the income of conventional North Korean laborers working overseas in manual jobs, according to the US Justice Department. Teams of these workers can collectively earn over $3 million a year.
The former North Korean IT worker, who spoke on condition of anonymity due to security concerns, confirmed the authenticity of the documents and stated that he and his colleagues would create fake profiles until they were hired. Once hired, they would then create additional fake profiles to secure second jobs. These tactics have proven to be lucrative, with North Korean developers hiding behind pseudonymous email and social media accounts to generate millions of dollars annually for sanctioned North Korean entities.
North Korean IT workers are mainly located in China and Russia, with some in Africa and Southeast Asia, according to the US government. Their earnings can reach up to $300,000 per year, with a portion repatriated to Pyongyang and the rest spent on overhead expenses or pocketed by the workers themselves. It is estimated that there are around 3,000 North Korean IT workers overseas and another 1,000 based within North Korea.
The discovery of these deceptive practices was made by researchers at Palo Alto’s Unit 42 cyber research division while examining a campaign by North Korean hackers targeting software developers. The researchers found a connection between North Korea’s hackers and its IT workers, although the defector clarified that espionage missions were reserved for a select few.
However, there is a risk for the North Korean government as these privileged workers become exposed to the realities of the world and their country’s enforced backwardness. North Korean IT workers could potentially use their access to hack their employers, as indicated by some of the leaked resumes, which showed experience in cryptocurrency firms, a sector that has long been targeted by North Korean hackers.
The data obtained from Constella Intelligence, an identity investigation firm, revealed that one North Korean worker had accounts on multiple freelancing websites across different countries. Additionally, there was evidence of access to websites selling digital templates for creating realistic-looking fake identification documents, such as US driving licenses, visas, and passports.
The documents uncovered by researchers included resumes for various forged identities, a counterfeit US green card, interview scripts, and evidence of purchased access to legitimate online profiles. For example, one profile referred to a forged identity named “Richard Lee,” which matched the name on the green card. While the US Department of Homeland Security did not respond to requests for comment, a LinkedIn account for a Richard Lee with the same profile photo was found, listing experience at Jumio, a digital identity verification company. Jumio stated that they had no record of Richard Lee as an employee and did not have any evidence of employing a North Korean worker.
The use of fake names, counterfeit documents, and deceptive tactics by North Korean IT workers demonstrates the lengths they are willing to go to secure employment abroad. These strategies not only enable them to earn significant income but also provide a vital lifeline of foreign currency for the North Korean regime.