We’ve seen how North Korea has become an increasingly powerful cyber enemy, wreaking havoc on countries and companies in the West. This threat is real, and it comes from the nation’s top-notch cyber operations. These operations are responsible for its ability to steal intellectual property and siphon off billions in cryptocurrency, further financing its nuclear weapons program. The clicks of the regime’s IT workers are growing more audible, but they’re increasingly located outside of North Korea—primarily in China and Russia. To counter this, they have developed elaborate strategies to penetrate multinational corporations as remote workers.
The shadowy work of North Korean IT professionals has long constituted a threat, causing concern for cybersecurity specialists and government officials alike. These people quickly move on to other remote roles, going through the application process using fake identities and deep fake technology to hide their location. They are part of a connected international web that carries out the wishes of Kim Jong Un’s dictatorship. This regime includes metrics-driven demands for teams that go to work on cybercrime.
The Mechanics of Deception
The experience of North Korean IT workers show skill in deception. They manipulate their appearances with face-changing software while simultaneously conducting a video interview and leveraging AI assistants for constantly adapted responses in real time. This tech advantage gives them the tools to make a strong case that they would be solid contenders for remote work.
Michael “Barni” Barnhart, a former Defense Intelligence Agency officer, is an expert in North Korean cyber capabilities. He’s raised alarm about the flood of applications these workers have filled out. He stated, “IT workers play the numbers game and are applying for remote roles in volume.” This strategy serves to improve their success while making it harder to track and bag these mythical beasts.
They go beyond impersonation tactics. More commonly, they create detailed fictitious identities or use compromised identities to penetrate numerous organizations simultaneously. Barnhart noted, “There’s a lot to unpack in that one image,” referring to the various layers of identity manipulation that these workers engage in.
North Korean IT workers are under perpetual observation from the regime. This iron grip ensures their loyalty and crushes any desire/ability to jump ship. Barnhart explained, “The MSS watches them so they don’t become defectors,” highlighting the tight control the government maintains over its cyber workforce.
A State-Sponsored Crime Syndicate
Unlike more typical military or intelligence operations, the nature of North Korea’s cyber operations is relatively unique. Experts have even gone so far as to compare it to a “state-sanctioned crime syndicate.” They claim its overall goals are to enrich the regime, advance weapons development and collect intelligence. This aggressive strategy has fueled a wave of headline-grabbing cyber robberies. Among these incidents are the infamous DeltaPrime hack and more recently a jaw-dropping $1.5 billion hack of crypto exchange Bybit.
Unlike these cybercriminals, North Korea’s hackers do have a specific focus driven by the regime. They are motivated by financial profit and the pursuit of technological development. The regime’s focus on developing its own technology is evident in its systematic theft of intellectual property from foreign companies.
Barnhart stressed that this strategic reassessment of how the international community should approach the North Korean cyber threat is critical. He remarked, “What we’re doing isn’t working, and if it is working, it’s not working fast enough.” Even among industry experts — truck makers, manufacturers, tech developers — there is mounting consensus that we need stronger measures. Their mission is to outsmart and outpace the ever-changing strategies of North Korean cyber operatives.
International Response and Sanctions
We applaud the United States government for taking such strong and decisive action against the IT threat that is on the rise from North Korea. Most importantly, they are actively sanctioning organizations tied to all these operations. As recently as May 2023, Chinyong Information Technology Cooperation Company was placed under sanctions. This decision represented an important move toward rolling back harmful North Korean cyber operations. In January 2024, the U.S. Treasury Department sanctioned two North Korean front companies and their operatives based in China and Laos.
In many ways, these sanctions are the most recent incarnation of a larger strategy to sour the financial networks that empower North Korea’s cyber arsenal. Experts contend that these measures are of little use. The regime is always trying to change and find new ways to avoid getting caught.
Barnhart pointed out that even as measures are implemented, “North Korea has already moved on to their next point and now they’re subcontracting and creating another layer of obfuscation there, too.” It further underscores the real and present game of cat-and-mouse between North Korean cyber operatives and international authorities.
Leave a Reply