Heightened cybersecurity risks posed by North Korean IT workers impersonating non-DPRK Nationals

By Kristofer Swanson and Patricia Peláez, both Andersen Alumni and now working for Charles River Associates Forensic Services Practice as Vice President & Practice Leader and Principal, respectively

Based on our experience in recent client matters, we have seen an escalating threat posed by the Democratic People’s Republic of Korea (DPRK) information technology (IT) workers engaging in sophisticated schemes to evade US and UN sanctions, steal intellectual property from US companies, and/or inject ransomware into company IT environments, in support of enhancing North Korea’s illicit weapons program.

What Information Should You Know?

In general, the scheme involves the use of deceptive tactics, including stolen identities and remote access technology tools, to secure IT employee or contractor positions within US-based employers. The allure of high pay for these roles, coupled with a comparatively low risk of detection, makes this scheme particularly enticing for DPRK operatives.

The US Department of Justice announced in a recent court-approved seizure action:1

“As alleged in court documents, the Government of the Democratic People’s Republic of Korea (DPRK) dispatched thousands of skilled IT workers to live abroad, primarily in China and Russia, with the aim of deceiving U.S. and other businesses worldwide into hiring them as freelance IT workers, in order to generate revenue for its weapons of mass destruction (WMD) programs. Through this scheme, which involves the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers located in the United States and elsewhere, and witting and unwitting third parties, the IT workers generated millions of dollars a year on behalf of designated entities, such as the North Korean Ministry of Defense and others, directly involved in the DPRK’s UN-prohibited WMD programs.”

What Can You Do With This Information?

We recommend that companies mitigate this risk by using a risk-based approach to:

• conduct enhanced due diligence on employee/ contractor candidates.

• strengthen ongoing monitoring capabilities of employees/contractors.

• bolster defenses against the inappropriate exfiltration of valuable information.

• reduce the risk of remote access tools being launched in ways that could circumvent the typical requirement for admin privileges.

• prepare to better respond to ransomware and other cyber incident response situations.

We invite you to reach out to continue the conversation on how to most effectively detect, prevent, and correct this or other types of fraud, cybercrime, misconduct, and non-compliance. Kris and Patricia can be reached via email at kswanson@crai.com and ppelaez@crai.com, respectively.

1 https://www.justice.gov/opa/pr/justice-department-...

About Charles River Associates (CRA): Operating from ten countries around the world, CRA’s clients over the past two years included 97% of the AmLaw 100 law firms, and 81% of the Fortune 100 companies.

Our Forensic Services Practice has been recognized by The National Law Journal as being one of the top three Forensic Accounting Providers in the country; by Global Investigations Review as one of the leading investigative consultancies from around the world for handling sophisticated cross-border, government-driven and internal investigations; and by Chambers in recognition of our deep litigation support and crisis & risk management competencies. The Practice, including our state-of-the art digital forensics and our eDiscovery & cyber incident response labs, has been certified under International Organization for Standardization (ISO) 27001:2013 requirements as part of our industry-leading commitment to our clients and their information security. CRA maintains private investigator licenses in multiple jurisdictions, as listed on our website: (www.crai.com ).