Active network of North Korean IT front companies exposed
An analysis of the websites belonging to companies that served as a front for getting North Korean IT workers remote jobs with businesses worldwide has revealed an active network of such companies originating in China.
Unearthing North Korean IT front companies
US authorities have been warning about North Korean IT workers’ tactics to bypass sanctions for a number of years, and have repeatedly seized website domains that looked like they belong to legitimate IT services companies and were used to help North Korean IT workers to hide their true identities and location when applying for jobs.
They’ve also disrupted US-based schemes aimed at facilitating their employment and perpetrating the deception.
SentinelOne researchers have analyzed the websites of four recently identified front companies (whose domains have been seized), and have uncovered multiple leads that point to an active network of North Korean IT front companies originating in China.
The discovered front company connections (Source: SentinelLabs)
They have also discovered another company, domain – huguotechltd[.]com – and website that they believe to be “closely associated with the (…) four reviewed DPRK IT Worker front companies”. That and several other companies are still active.
Advice for organizations
“Front companies, often based in China, Russia, Southeast Asia, and Africa, play a key role in masking the workers’ true origins and managing payments,” researchers Tom Heger and Dakota Cary explained.
“Notable examples include China-based Yanbian Silverstar Network Technology Co. Ltd., disrupted in October 2023, and Russia-based Volasys Silver Star, sanctioned by the U.S. Department of the Treasury in 2018, for their roles in facilitating fraudulent IT operations. These entities helped DPRK workers launder earnings through online payment services and Chinese bank accounts. The payments, often routed through cryptocurrencies or shadow banking systems, ultimately support state programs, including weapons development, circumventing international sanctions.”
Aiding North Korea evade sanctions – even inadvertently – can land companies into legal hot water, but they also risk getting their intellectual property and data stolen, held for ransom, and their systems compromised.
“Organizations are urged to implement robust vetting processes, including careful scrutiny of potential contractors and suppliers, to mitigate risks and prevent inadvertent support of such illicit operations,” Heger and Cary concluded.
The content and look of the websites they analyzed, for example, was copied from legitimate software and consulting firms headquartered in the United States and India – but not perfectly, so the sites sometimes retained a reference to the legitimate company.
Palo Alto Networks’ Unit 42 has recently also shared helpful advice for avoiding putting North Korean IT workers – or worse, hackers – on their payroll.