Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
North Korean IT Workers Using Fake Sites to Evade Detection
Research Finds Deep Ties to North Korea Among Fake IT Service Firms' WebsitesNorth Korean state actors are using fake websites of foreign technology service firms to sidestep sanctions and raise funding for Kim Jong-Un regime's weapons development programs, said security firm SentinelOne.
See Also: The Future of Cybersecurity in APJ
SentinelOne's threat intelligence arm SentinelLabs found North Korean individuals hiding behind front companies based in China, Russia, Southeast Asia and Africa to set up fake IT services and consultancy websites to evade Western sanctions.
These websites, which U.S. law enforcement agencies took down on Oct. 10, mirrored those of software and information technology service providers based in the U.S. and India, hiding their real locations and people in charge to avoid detection by law enforcement agencies and helping the workers gain trust, access sensitive contracts and earn money for North Korea.
SentinelLabs narrowed its focus to four fraudulent websites, learning during its investigation that the sites were linked together through a common InterServer hosting infrastructure, common operators and a network of front companies registered in China.
The recent takedown of North Korea-run shadow technology websites follows similar action in Oct. 2023 when law enforcement agencies in the U.S. took down 17 North Korea-run website domains that mimicked domains of legitimate, U.S.-based IT services companies. The Justice Department said North Korean IT workers used these websites to "hide their true identities and location when applying online to do remote work for U.S. and other businesses worldwide."
SentinelLabs researchers found that many of the websites taken down on Oct. 10 were registered in China, but contained sufficient information that investigators could piece together deep ties with the North Korean state.
Shenyang Tonywang Technology, the owner of the fraudulent domain tonywangtech[.]com, was registered in the same building in Shenyang City's Tawan Street as Shenyang Huguo Technology, whose website copied content and logos from software firm TatvaSoft located in Noida, India.
The researchers also found that some of the fraudulent domains were associated with an individual named Tony Wang. Tony WKJ LLC IT Services, whose domain was a copy of that of ArohaTech IT Services based in Noida, branded itself as a U.S. company and shared linkages with HopanaTech, a custom software development company that copied content from the legitimate firm ITechArt. HopanaTech used Wang Kejia as its contact, but used the Tonywkj@Hopana email address in its contact form.
Similarly, HopanaTech's contact Tong Yuze was also the corporate registrant of Beijing Xiwang Technology Company. A closer look at Yuze revealed that he is the corporate registrant of at least two businesses in China. "We hypothesize that his collection of businesses may serve to provide cover for illegal ones," SentinelLabs said.
"Our research not only exposes the deceptive tactics employed by DPRK IT workers but also connects these efforts to a broader, active network of front companies originating in China," the firm said. "This linkage emphasizes the scale and complexity of North Korea's financial schemes and the importance of vigilance across industries."
The U.S. Justice department said in May that North Korean IT workers had infiltrated more than 300 U.S. organizations using borrowed or stolen identities of U.S. citizens to pose as domestic workers.
The specially trained IT workers set up accounts on U.S. payment platforms and job sites and used proxy computers located in the U.S. to win contracts and roles with major organizations and earn millions as a result.
"The overseas IT workers gained employment at U.S. companies, including at a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a U.S.-hallmark media and entertainment company, all of which were Fortune 500 companies," the department said.