Full Report
The North Korean office responsible for the scheme, Department 53, was created to funnel money back into the country’s weapons programs. The post Treasury sanctions North Korea over remote IT worker schemes appeared first on CyberScoop.
Analysis Summary
# Threat Actor: North Korean Remote IT Workers (State-Sponsored Operations)
## Attribution & Identity
**Attribution:** North Korea, specifically linked to **Department 53** of the Ministry of National Defense.
**Aliases and Associated Groups:** Department 53 (the central office orchestrating the scheme), front companies including **Korea Osong Shipping Co.** and **Chonsurim Trading Corporation**. Sanctioned individuals acting as leaders/operators include **Jong In Chol** and **Son Kyong Sik**.
**Direct Association:** State-sponsored activity intended to funnel revenue back to the North Korean regime.
## Activity Summary
The primary activity summarized is a long-running, state-sponsored scheme involving sending thousands of skilled North Korean IT professionals overseas to secure freelance and remote IT jobs under false pretenses. The operators funnel up to 90% of the workers' earnings back to Pyongyang to finance weapons programs. This scheme is also used to generate revenue supporting Russia’s war in Ukraine. The operations include maintaining complex fake networks (fake employee records, identity redirection) to sustain employment even if an operative is dismissed.
## Tactics, Techniques & Procedures
- **Illicit Revenue Generation:** Securing remote IT jobs and freelancing under false pretenses to generate foreign currency.
- **Identity Deception/Misrepresentation:** Creating entire fake networks of employees and companies to provide cover, references, and payment routing.
- **Facilitation/Aid:** Utilizing individuals in the US (e.g., a Tennessee man arrested for using stolen identities to secure remote work for North Koreans masquerading as US citizens).
- **Logistical Support:** Leveraging front companies (like those sanctioned in Laos) to place workers on specific software projects.
- **Supply Chain Support:** Utilizing external entities (e.g., Liaoning China Trade Industry Co., Ltd.) to supply crucial technological equipment for IT operations abroad.
## Targeting
- **Sectors:** IT and software development (via freelance/remote work acquisition).
- **Geography:** Workers have been sent to countries like **Laos**. Operations involve global financing and IT engagement worldwide.
- **Victims:**
1. **International Companies/Clients** unknowingly employing North Korean nationals.
2. Entities targeted by the wider North Korean regime for illicit enrichment efforts.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly mentioned, as the focus is on the workforce scheme methodology rather than specific malware payloads.
- **Infrastructure (C2, domains, IPs):**
- **Entities Sanctioned for Support:** Liaoning China Trade Industry Co., Ltd. (Chinese company supplying technological equipment).
- **Front Companies Used for Placement:** Korea Osong Shipping Co., Chonsurim Trading Corporation.
## Implications
This activity represents a critical, sustained source of financing for North Korea's Weapons of Mass Destruction (WMD) and ballistic missile programs. The reliance on skilled, overseas IT labor highlights Pyongyang's asymmetric method of bypassing traditional sanctions by exploiting global remote work environments. The collaboration or exploitation risks associated with companies outside of North Korea (e.g., in China or via complicit US citizens) demonstrates a wide web of enforcement challenges.
## Mitigations
- **Vetting and Identity Verification:** Increased scrutiny for remote IT workers regarding verifiable identity, especially during hiring for sensitive or critical development roles.
- **Supply Chain Monitoring:** Due diligence on technology suppliers and vendors that interact with Department 53-associated entities.
- **Awareness of Workforce Exploitation:** Organizations should be aware of schemes where North Korean nationals may be using stolen identities or fraudulent credentials to gain remote employment.