North Korean Hackers Posing as IT Freelancers

Secure your business with CyberHoot Today!!!

According to a joint advisory from the U.S. Department of State, the Department of the Treasury, and the Federal Bureau of Investigation (FBI), highly skilled software and mobile app developers from the Democratic People’s Republic of Korea (DPRK) are posing as “non-DPRK nationals” in hopes of landing freelance employment in an attempt to enable the regime’s malicious cyber intrusions.

Targets include financial, health, social media, sports, entertainment, and lifestyle-focused companies located in North America, Europe, and East Asia, with most of the dispatched workers situated in China, Russia, Africa, and Southeast Asia.

What Is Their Goal?

The goal, the U.S. agencies warn, is to generate a constant stream of revenue that sidesteps international sanctions imposed on the nation and help serve its economic and security priorities, including the development of nuclear and ballistic missiles. The advisory noted that the North Korean government “withholds up to 90 percent of wages of overseas workers which generates an annual revenue to the government of hundreds of millions of dollars”.

Some of the primary sectors where DPRK IT workers have been found working in are software development, crypto platforms, graphic animation, online gambling, mobile games, dating sites, Artificial Intelligence (AI), Virtual Reality apps, hardware and firmware development, biometric recognition software, and database management. Workers are also known to take on projects that involve virtual currency, reflecting the country’s continued interest in the technology and its history of targeted attacks aimed at the financial sector.

Additionally, they are said to abuse the privileged access obtained as contractors to provide logistical support to North Korean state-sponsored groups, share access to virtual infrastructure, facilitate the sale of stolen data, and assist in money laundering and virtual currency transfers.

Red Flags to Watch Out For

You may think you’re hiring someone from South Korea to help out your company with IT-related projects, but these DPRK IT workers will deliberately obfuscate their identities, locations, and nationality online by using Virtual Private Networks (VPNs). Potential red flags indicating the involvement of DPRK IT workers are: 

  • Multiple logins into one account from various IP addresses in a short period
  • Logging into multiple accounts on the same platform from one IP address
  • Logged into accounts continuously for one or more days at a time
  • Use of ports such as 3389 that are associated with remote desktop sharing software
  • Using rogue client accounts on freelance work platforms to boost developer account ratings
  • Multiple developer accounts receiving high ratings from one client account in a short time
  • Frequent money transfers through payment platforms to China-based bank accounts, and
  • Seeking payment in virtual currency

How Can You Avoid These Scenarios?

It’s important to do your due diligence if you’re hiring freelancers, especially if they’re claiming to be from South Korea or a similar geographical area. Consider the following when hiring contractors to support your business.

  • Hire Someone you Know: If there is someone you know local to your company or within the region you operate or someone who can vouch for the contractor you’re hiring, it’s a good idea to have first-hand knowledge of your subcontractors.
  • Interview in Person or virtually via Web Conference: Many times, an in-person or virtual interview can help you determine the legitimacy of a candidate. Do not hire someone you’ve never met at least virtually.
  • Background Checks: There are companies that specialize in international background checks. Always validate their financial status, criminal records, and educational degrees for legitimacy before extending an offer.
  • Review Work Profiles: Don’t just check the previous descriptions of the jobs performed on freelance work platforms, contact at least one of their previous employers’ to validate the quality of their work and the legitimacy of the posting.
  • Final Thoughts: Trust your gut. If anything feels off when hiring a remote worker from a freelance platform, err on the side of caution and look for someone else that you know to be good, trusted, and capable. You can never be too careful in today’s day and age or remote work from anywhere (including the DPRK).

Aside from these things to look out for, there are additional ways you can ensure privacy and security, listed below. 

CyberHoot’s Minimum Essential Cybersecurity Recommendations

The following recommendations will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

  1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
  2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
  3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
  4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
  5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections) or prohibiting their use entirely.
  6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
  7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Each of these recommendations, except cyber-insurance, is built into CyberHoot’s product and virtual Chief Information Security Officer services. With CyberHoot you can govern, train, assess, and test your employees. Visit and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.