Full Report
Cybersecurity researchers have identified infrastructure links between the North Korean threat actors behind the fraudulent IT worker schemes and a 2016 crowdfunding scam. The new evidence suggests that Pyongyang-based threamoret groups may have pulled off illicit money-making scams that predate the use of IT workers, SecureWorks Counter Threat Unit (CTU) said in a report shared with The Hacker
Analysis Summary
# Threat Actor: North Korean Nation-State Actors (Associated with IT Worker Schemes)
## Attribution & Identity
* **Primary Association:** North Korean threat actor groups running illicit money-making schemes, specifically linked to fraudulent IT worker employment.
* **Organizational Link:** Assessed to be part of the **313th General Bureau**, an organization under the Munitions Industry Department of the Workers' Party of Korea.
* **Known Aliases/Groups:** Famous Chollima, Nickel Tapestry, UNC5267, Wagemole.
* **Associated Front Companies:** Yanbian Silverstar and Volasys Silver Star (both previously sanctioned by OFAC in September 2018).
* **Key Individual:** Jong Song Hwa (North Korean CEO controlling earnings flow for developer teams in China and Russia).
## Activity Summary
The primary activity involves North Korean actors securing employment in the West and globally by using fake identities to infiltrate companies (IT worker fraud scheme, discovered in late 2023). The goal is to generate revenue for the sanctions-hit nation. Actors are often dispatched to work for front companies in China and Russia to hide their true nationality. Evidence suggests infrastructure links connect these IT worker schemes to a smaller, earlier 2016 crowdfunding scam, indicating early experimentation with money-making schemes predating the large-scale IT fraud.
## Tactics, Techniques & Procedures
* **Identity Deception/Impersonation:** Surreptitiously seeking employment under fake identities to conceal true nationality and location.
* **Domain Impersonation:** Seizing/using internet domains to impersonate legitimate U.S.-based IT services companies for freelance work applications.
* **Illicit Funding Mechanisms:** Utilizing both modern IT worker fraud and older, low-effort scams (like crowdfunding fraud).
* *No specific MITRE ATT&CK IDs were provided in the source material.*
## Targeting
* **Sectors:** Information Technology (via employment infiltration); Financial/Crowdfunding sectors (historical scams).
* **Geography:** Global infiltration; specific operational bases noted in **China** and **Russia** (where front companies operate).
* **Victims:** Businesses in the West and other parts of the world who hire contract/freelance IT workers. (Historical victims include 193 backers of a 2016 crowdfunding campaign).
## Tools & Infrastructure
* **Malware Families Used:** The article mentions a separate, but contextually related, actor deployment of **OtterCookie** by DPRK hackers, though direct link to the Nickel Tapestry group is contextual, not definitive in this summary's scope.
* **Infrastructure (C2, domains, IPs):**
* "silverstarchina\[.\]com" (Seized domain impersonating an IT company).
* "kratosmemory\[.\]com" (Associated with the 2016 crowdfunding scam).
* Front Company Entities: Yanbian Silverstar, Volasys Silver Star.
## Implications
This activity confirms a persistent, state-sponsored strategy by Pyongyang to generate revenue through cybercrime and illicit means, evolving from small-scale scams (2016) to well-organized, long-term corporate infiltration (IT worker scheme). The use of front companies in China and Russia highlights the logistical support structure enabling these operations while evading international sanctions.
## Mitigations
* Enhanced due diligence for hiring IT workers, scrutinizing employment history and nationality verification, especially for offshore engagements.
* Vigilance against domain squatting or impersonation tactics used to mask the origin of freelance IT contractors.
* Monitoring for historical connection points between current fraud schemes and older techniques (like crowdfunding scams) to trace actor evolution.
* (Contextual note, drawing from general DPRK activity mentioned): Enhanced security measures for cryptocurrency assets and blockchain platforms.