The fraudulent North Korean IT worker scheme took on a new twist when it was reported Nov. 21 that four companies disrupted by the U.S. government on Oct. 10 were traced back to a broader network of front companies originating from China.
Researchers from SentinelLabs said in a Nov. 21 blog post that this new report stands out because of the link to China, the ability of the threat actors to appear as fraudulent companies as opposed to personas, plus the discovery of four previously unreported front companies.
“By impersonating legitimate U.S.-based software and technology consulting firms, North Korean actors aim to gain trust and access to sensitive contracts, circumventing sanctions and evading detection,” wrote the SentinelLabs researchers. “These tactics highlight a deliberate and evolving strategy that leverages the global digital economy to fund state activities, including weapons development.”
In October 2023, the U.S. government seized 17 websites that defrauded businesses in the U.S. and abroad by letting North Korean IT workers conceal their true identities when applying online to do remote work around the world. Most notably, leading security company KnowBe4 was victimized by this scheme.
“The recent activity described by SentinelOne represents an evolution rather than a fundamentally new tactic in DPRK's IT worker scheme, shifting from impersonating individuals to mimicking entire companies,” said Callie Guenther, senior manager of cyber threat research at Critical Start. “This approach involves creating cloned websites and copying the branding of legitimate U.S.-based software and consulting firms to secure contracts and obscure the true origins of workers. Unlike previous campaigns, such as the attack on KnowBe4, which involved forged identities for individual employment, this strategy targets larger-scale outsourcing opportunities, potentially generating greater revenue and operational cover.”
Guenther, an SC Media columnist, said DPRK actors are using front companies based in China, Russia, Southeast Asia, and Africa to manage payments and obscure their connection to the North Korean regime. These companies play a key role in the broader scheme, which is also tracked as Wagemole by Palo Alto's Unit42.
“By impersonating organizations rather than individuals, the actors aim to appear more legitimate and secure contracts that provide a more substantial financial return,” said Guenther. “This activity supports North Korea’s efforts to evade sanctions and fund its weapons of mass destruction and ballistic missile programs.”
This scheme represents an evolution in tactics where threat actors are creating entire fake companies rather than just individual personas, allowing them to establish deeper credibility and potentially infiltrate multiple organizations simultaneously, said Stephen Kowski, Field CTO at SlashNext Email Security.
“The creation of sophisticated front companies, particularly in regions like China and Southeast Asia, demonstrates increased sophistication in their ability to mask origins and manage financial transactions,” said Kowski. “This approach builds upon previous tactics, but shows how threat actors are adapting their methods to bypass traditional identity verification processes and security controls.”
