Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Standards, Regulations & Compliance
US Sanctions North Korean Remote IT Worker Front Companies
Treasury Also Sanctions Chinese Company for Supplying Tech Equipment
The U.S. federal government targeted for sanctions a network of North Korean front companies and a Chinese supplier that support a Pyongyang program of planting remote IT workers into Western corporations.
See Also: VMware Carbon Black App Control
The Department of the Treasury on Thursday blacklisted two firms it accused of operating cadres of North Korean IT workers in Laos, from where the workers use false identities to obtain employment or freelance work. The companies are Korea Osong Shipping and Chonsurim Trading Corporation.
Also added to the U.S. sanctions list - meaning they are effectively cut off from the Western financial system - are Chonsurim President Jong In Chol and Son Kyong Sik, described by the Treasury as a Laos-based representative of a North Korean military bureau dedicated to generating revenue for the cash-starved authoritarian regime. The bureau, Department 53 of the Ministry of the People's Armed Forces, also came under additional Treasury sanctions on Thursday.
The Chinese company, Liaoning China Trade Industry, participated in the conspiracy by supplying Department 53 with computer equipment including laptops, desktops, graphic cards, network cables and HDMI cables, the Treasury said.
The federal government last year stepped up efforts to stamp out North Korean remote IT workers, which the Treasury said generates hundreds of millions of dollars annually – funds that are used to finance the regime's program to develop weapons of mass destruction and ballistic missiles. Pyongyang withholds up to 90% of remote IT worker salaries.
Federal prosecutors in December 2024 indicted 14 North Korean nationals for allegedly using false, stolen and borrowed identities to secure remote work for compatriots in U.S. companies and nonprofits (see: US Indicts 14 North Koreans in IT Scam Funding WMD Programs).
The scam often relies on U.S.-based individuals who operate laptop farms through which North Korean workers connect to corporate networks from a domestic IP address. Prosecutors charged a Tennessee man in August for housing laptops at his residence for North Korean workers between July 2022 and August 2023. They indicted in May 2024 an Arizona woman after an FBI raid on her home discovered more than 90 computers, each with a note attached naming a U.S. company and a putative U.S. identity.
The United States isn't the only target for fake North Korean IT workers. The German federal domestic intelligence agency in October acknowledged that German companies have fallen for the scam. The danger of hiring North Korean workers isn't limited to their fake identities and sanctions-busting illegality. Security companies have warned that the workers also make illicit salary withdrawals and litter their employers with backdoors for future financial exploitation. Cyberespionage is an ever-present danger.
Threat intel company Mandiant in September 2024 advised employers interviewing remote candidates to take basic screening steps such as insisting that all applicants to turn on cameras during interviews. Employers should also look for telltale signs such as a laptop using an IP-based keyboard video mouse, multiple remote admin tools installed on a single system and "mouse jiggling" software that keeps laptops active.
