Full Report
Four US citizens tried it, and the DoJ just secured guilty pleas from all of 'em It sounds like easy money. North Koreans pay you to use your identity so they can get jobs working for American companies in IT. However, if you go this route, the US Department of Justice promises to catch up with you eventually.…
Analysis Summary
# Threat Actor: North Korean State-Sponsored IT Workers (Facilitated by Identity Brokers)
## Attribution & Identity
The primary actors are **North Korean entities/individuals** attempting to gain employment within US companies. The scheme is facilitated by **identity brokers** (like the Ukrainian national Oleksandr Didenko) and **complicit US citizens** who loan or sell their identities and physical presence.
**Known Aliases and Associated Groups:**
* Involved parties include US citizens complicit in the scheme (Audricus Phagnasay, Jason Salazar, Alexander Paul Travis, Erick Ntekereze Prince) and an identity broker (Oleksandr Didenko).
* The ultimate beneficiary is the **North Korean regime** (The Kim regime).
## Activity Summary
The campaign involves North Korean nationals using the stolen or brokered identities of US citizens to secure remote IT jobs at American companies. This activity was observed between **2019 and 2022**.
Specific instances detailed include:
1. Three US citizens in the Southern District of Georgia pled guilty to enabling North Koreans by providing identities and hosting company laptops for remote access. This generated approximately **$1.28 million** in fraudulent salary payments.
2. Erick Ntekereze Prince used his company, Taggcar Inc., to supply "certified" IT workers, earning over **$89,000**. This specific network saw North Korean IT workers obtain employment at **more than 64 US companies**, earning nearly $1 million.
3. Oleksandr Didenko, an identity broker, facilitated fraudulent employment at **40 US companies** through the sale of stolen US identities.
## Tactics, Techniques & Procedures
- **Identity Theft/Fraud:** Stealing or purchasing the identities of US citizens.
- **Remote Deception:** Hosting company-issued laptops in the US, on which North Korean operatives installed **remote access software** to mimic working from within the United States. (This is a form of technical deception to circumvent location-based monitoring.)
- **Physical Impersonation (Limited):** Some conspirators provided physical verification, such as showing up in person for drug tests to maintain the facade.
- **Corporate Facilitation:** Utilizing legitimate business fronts (e.g., Taggcar Inc.) to supply allegedly "certified" North Korean workers.
**MITRE ATT&CK IDs (Inferred from Tactics):**
* T1588.002: Obtain Capabilities: Credentials (Identity purchasing/brokering)
* T1583.001: Acquire Infrastructure: Domains (Implied, necessary for larger operations)
* T1071.001: Application Layer Protocol: Web Protocols (Used for remote access/C2 traffic appearing ostensibly legitimate)
## Targeting
- **Sectors:** Information Technology (IT) industry, specifically targeting US companies requiring remote access workers.
- **Geography:** Targeting US companies for employment locations; brokers were apprehended in Poland/extradited from the Netherlands.
- **Victims:** Over **64 US companies** were victimized in one known network, plus an additional **40 US companies** impacted by Didenko's brokerage.
## Tools & Infrastructure
- **Tools:** **Remote access software** installed on company-issued laptops.
- **Infrastructure:** Company-issued laptops hosted physically in the US residences of the conspirators.
## Implications
This scheme represents a significant, organized effort by North Korea to generate revenue (as noted by the DoJ stating the proceeds go to the Kim regime) while simultaneously attempting to gain **access to intellectual property** and sensitive systems within US businesses under the guise of legitimate employment. The involvement of identity brokers underscores the maturity and scope of the infrastructure supporting these efforts.
## Mitigations
- **Improved Vetting:** Private sector partners must **improve security processes for vetting remote workers**, specifically focusing on rigorous identity verification beyond standard background checks where possible.
- **Remote Access Monitoring:** Companies should enhance monitoring of remote access sessions originating from company assets, looking for anomalies inconsistent with the alleged employee's actual location or activity profile.
- **Supply Chain Vigilance:** Maintain vigilance regarding third-party labor suppliers or contractors concerning their vetting standards.