The United States Department of Justice (DoJ) has announced the indictment of five men – two North Koreans, a Mexican and two American citizens – in a developing scandal that saw North Korean operatives obtain remote IT contractor positions with US companies to generate funds for the isolated regime.
Named on Thursday 23 January as Jin Sung-Il, Pak Jin-Song, Pedro Ernesto Alonso De Los Reyes, Erick Ntekereze Prince and Emanuel Ashtor, the men are accused of running a scheme dating back to April 2018 in which 64 companies unwittingly employed remote North Korean staffers, with payments from 10 of those companies generating more than $860,000 alone. This money was laundered through a Chinese bank account.
The two Americans, Ntekereze and Ashtor, operated a laptop farm from Ashtor’s home in the state of North Carolina, from where they hosted victim-company-supplied laptops to deceive their victims into thinking their new employees were based in the US.
Both Ntekereze and Ashtor are in custody following an FBI sting, while Alonso is in custody in the Netherlands pending extradition. The North Koreans remain at large with little chance they will face justice.
“The Department of Justice remains committed to disrupting North Korea’s cyber-enabled sanctions-evading schemes, which seek to trick US companies into funding the North Korean regime’s priorities, including its weapons programmes,” said supervisory official Devin DeBacker of the Justice Department’s National Security Division.
“Our commitment includes the vigorous pursuit of both the North Korean actors and those providing them with material support. It also includes standing side-by-side with US companies to not only disrupt ongoing victimisation, but to help them independently detect and prevent such schemes in the future.”
According to the US government, North Korea has dispatched thousands of skilled IT workers to live abroad – mainly in China and Russia – to deceive western businesses into hiring them as freelance IT workers.
The job ‘creation’ scheme involves the use of pseudonymous email, social media, payment platform and online job site accounts, as well as fake websites, a network of proxy computers, and third-parties both witting and unwitting.
The defendants are further accused of using forged and stolen passports to conceal the identities of their North Korean co-conspirators to enable them to evade sanctions and other laws.
All five face charges of conspiracy to cause damage to a protected computer, conspiracy to commit wire fraud and mail fraud, conspiracy to commit money laundering, and conspiracy to transfer false identification documents. The North Koreans are further charged with conspiracy to violate the International Emergency Economic Powers Act, while the other three men all face a maximum jail sentence of 20 years if convicted.
The heat is on
The discovery of fake North Korean IT staffers plugging in to corporate systems has been making headlines in the US for months. Michael Barnhart, who leads the North Korean threat hunting team at Google Cloud’s Mandiant, said that increased pressure from law enforcement and media coverage was having an impact on the success of the scheme.
However, he cautioned, an unfortunate byproduct of this is that now that they are facing repercussions, with the North Koreans are becoming more aggressive in their tactics.
“We are increasingly seeing North Korean IT workers infiltrating larger organisations to steal sensitive data and follow through on their extortion threats against these enterprises. It’s also unsurprising to see them expanding their operations into Europe to replicate their success, as it’s easier to entrap citizens who aren’t familiar with their ploy,” said Barnhart.
“North Korean IT workers are also exploiting some companies that have begun using virtual desktop infrastructure [VDI] for their remote employees instead of sending them physical laptops. While this is more cost-effective to the company, it’s easier for the threat actors to hide their malicious activity,” he told Computer Weekly via email.
“As a result, North Korean IT workers are turning a company’s short-term savings into long-term security risks and financial losses, so it’s imperative for more businesses to pay attention to these operations.”
Rafe Pilling, director of threat intelligence at the Secureworks Counter Threat Unit, said that he had been tracking individuals involved in the scheme for 12 months and had observed them ramping up their use of deepfakes and artificial intelligence (AI) as useful tools in their deception.
“To counter state-sponsored groups, like Nickel Tapestry, it’s crucial to understand not only how their tradecraft is changing but also where it began,” said Pilling. “Businesses must stay vigilant and ensure they understand how best to mitigate this threat.”
Top tips for recruiters
For organisations hiring remote IT contractors, Pilling offered a five-point checklist to safeguard the recruitment process against infiltration:
- Verify identity: Always cross-check personal details and work history with official documentation.
- Watch for red flags: During in-person – or video – interviews, be alert to unusual behaviour. Long pauses or evasive answers could herald trouble.
- Be alert when onboarding: Candidates who may not be on the level might request address changes or ask to have their pay routed through money transfer services.
- Limit remote access: Restrict the use of unauthorised remote tools and ensure new hires only have access to tools that are strictly necessary.
- Practice ongoing vigilance: Monitor employees after hiring to confirm the person who obtained the contract is the person ‘showing up’.
#indicts #fake #North #Korean #contractor #scandal
