Full Report
The US Government is offering a $5 million reward for information leading to the disruption of financial mechanisms supporting North Korea following a six-year conspiracy
Analysis Summary
# Threat Actor: North Korean IT Worker Fraud Scheme (DPRK-directed)
## Attribution & Identity
The perpetrators are North Korean nationals operating under directive from the Democratic People’s Republic of Korea (DPRK) regime. The scheme involves DPRK-controlled companies, specifically named as **Yanbian Silverstar** (located in the PRC) and **Volasys Silverstar** (located in the Russian Federation), which collectively employed at least 130 workers referred to internally as “IT Warriors.” The US Department of Justice (DoJ) issued indictments against 14 involved individuals.
## Activity Summary
This activity involves a long-running **financial fraud conspiracy (2017–2023)** aimed at generating revenue for the DPRK in violation of sanctions.
The primary activity involves North Korean IT workers obtaining remote employment at US-based companies and non-profit organizations under fraudulent pretenses. The scheme generated at least **$88 million** over six years, with individual workers allegedly ordered to earn at least $10,000 monthly.
In addition to salary theft, actors have escalated tactics to include **extortion** by stealing sensitive company information (e.g., proprietary source code) and threatening to leak it unless a ransom payment is made. There is an assessment that recent government disruption efforts are forcing an escalation in these tactics.
## Tactics, Techniques & Procedures
- **Fraudulent Employment Acquisition:** Obtaining salaried employment at US companies through deception.
- **Identity Misuse:** Using valid but stolen US-based identities to secure employment.
- **Technology Utilization:** Employing "AI enhanced" applications during the application/hiring process.
- **Data Theft & Extortion:** Stealing proprietary source code and leveraging it for ransom demands (a more recent escalation).
- **Sanctions Evasion:** Operating through international entities (China and Russia) to circumvent sanctions and funnel funds back to the DPRK.
## Targeting
- **Sectors:** US-based companies and nonprofit organizations (sectors not explicitly listed, but implied to be high-tech/knowledge-work based on IT roles).
- **Geography:** Targeting organizations based in the **United States**. Workers are managed via DPRK firms located in the **People’s Republic of China (PRC)** and the **Russian Federation (Russia)**.
- **Victims:** Numerous US-based companies and nonprofit organizations. The firm **KnowBe4** was identified as a potential victim where activity was detected and prevented.
## Tools & Infrastructure
- **Malware families used:** Not explicitly mentioned.
- **Infrastructure (C2, domains, IPs):** Associated front companies include **Yanbian Silverstar** (PRC) and **Volasys Silverstar** (Russia).
- **Financial Mechanisms:** Demanding cryptocurrency for extortion payments (increased amounts noted).
## Implications
This ongoing scheme represents a persistent, state-sponsored method for the DPRK to generate hard currency through sophisticated sanctions evasion and cyber-enabled fraud, underpinning the regime's operations. The escalation to direct data extortion threatens data integrity and introduces significant legal risk for targeted organizations.
## Mitigations
- **Vetting Employees:** Companies must exercise extreme due diligence when hiring remote IT workers, especially entities linked to North Korean labor supply chains.
- **Identity Verification:** Enhance background checks to detect the use of stolen or fraudulent US identities.
- **Security Monitoring:** Maintain heightened monitoring for unusual data exfiltration or internal extortion threats from seemingly legitimate employees.
- **Sanctions Awareness:** Organizations should be aware of the known associated DPRK entities (Yanbian Silverstar, Volasys Silverstar) and related operational patterns.