LONDON, Nov 21 (Reuters) – Using fake names, fake LinkedIn profiles, fake job papers and fake interview scripts, North Korean IT workers seeking work at Western technology companies are using sophisticated tricks to get a job.
Getting a job outside North Korea to secretly earn hard currency for the isolated state requires highly sophisticated strategies to impress Western hiring managers, according to documents reviewed by Reuters, an interview with a former North Korean IT worker and cybersecurity researchers.
North Korea has sent thousands of IT workers abroad, an effort that has accelerated in the past four years, to bring in millions to fund Pyongyang’s nuclear missile program, according to the United States, South Korea and the United Nations.
“People are free to express thoughts and opinions,” says one interview transcript used by software developers in North Korea, which offers suggestions on how to describe “good company culture” when asked. Expressing one’s thoughts freely can be met with imprisonment in North Korea.
The texts totaling 30 pages were discovered by researchers at Palo Alto Networks (PANW.O), an American cybersecurity company working on… Discover a cache From internal online documents detailing how North Korea’s IT workforce operates remotely.
The documents contain dozens of forged resumes, online profiles, interview notes, and fake identities that North Korean workers used to apply for jobs in software development.
Reuters found further evidence in leaked dark web data that revealed some of the tools and techniques used by North Korean workers to convince companies to hire them for jobs as far away as Chile, New Zealand, the United States, Uzbekistan and the United Arab Emirates.
The documents and statements reveal the intense and resourceful efforts made by the North Korean authorities to ensure the success of the scheme, which has become a vital lifeline of foreign currency for the cash-strapped regime.
The North Korean mission to the United Nations did not respond to a request for comment.
The US Department of Justice said in 2022 that remote IT workers can earn more than ten times what a typical North Korean worker working abroad in construction or other manual jobs, and their teams combined can earn more than $3 million annually. .
Reuters was unable to determine how much the scheme has achieved over the years.
Some texts, designed to prepare workers for interview questions, contain excuses for the need to work remotely.
“I (traveled) to Singapore a few weeks ago. My parents got COVID and I (decided) to be with family for a while. Now, I’m planning to move back to Los Angeles,” said Richard, a senior embedded developer. “Ingelis in three months. I think I can start working remotely now, and then I’ll be on the plane when I get back to Los Angeles.”
A North Korean IT worker who recently defected also examined the documents and confirmed their authenticity to Reuters: “We were creating 20 to 50 fake profiles a year until we got hired.”
He looked at the texts, data and documents and said it was exactly the same thing he was doing because he recognized the tactics and techniques used.
“Once I get hired, I create another fake profile to get a second job,” said the worker, who spoke on condition of anonymity due to security concerns.
In October, the Department of Justice and the Federal Bureau of Investigation (FBI) announced took over 17 website domains that it said North Korean IT workers used to defraud companies out of $1.5 million.
The Justice Department said North Korean developers working for U.S. companies hid behind email and social media accounts under aliases and made millions of dollars annually on behalf of sanctioned North Korean entities through the scheme.
“There is a danger to the North Korean government that these privileged workers are exposed to the dangerous reality of the world and the forced underdevelopment of their country,” said Sokeel Park of Liberty in North Korea (LINK), an organization that works with defectors.
last year, The US government said North Korean IT workers are mainly based in China and Russiasome in Africa and Southeast Asia, and each can earn up to $300,000 a year.
Based on his experience, the former IT worker said everyone is expected to earn at least $100,000, of which 30-40% is repatriated to Pyongyang, 30-60% is spent on overhead expenses, and 10-30% is earned. Workers on it.
He estimated there were about 3,000 others like him abroad, and another 1,000 stationed inside North Korea.
“I worked to earn foreign currency,” he told Reuters. “It varies from person to person, but, basically, once you get a remote job, you can work for a minimum of six months, or for up to three to four years.”
“When you can’t find a job, you can work as a freelancer.”
The researchers, part of the 42nd Cyber Research Unit in Palo Alto, made the discovery when examining a campaign by North Korean hackers targeting software developers.
Unit 42 said a hacker left documents exposed on a server, suggesting links between North Korean hackers and its IT workers, although the defector said the espionage campaigns were reserved for a select few: “Hackers are trained separately. Tasks are “not given to people like us,” he said.
There is still crossover. The Department of Justice and the FBI have warned that North Korean IT workers may use the access to hack their employers, and some leaked resumes indicate their experience in cryptocurrency companies, an industry that North Korean hackers have long targeted.
Data from Constella Intelligence, an identity investigation company, showed that one worker had accounts at more than 20 independent websites in the United States, Britain, Japan, Uzbekistan, Spain, Australia and New Zealand.
The worker did not respond to an email request for comment.
Reuters found that the data, collected from leaks on the dark web, also revealed an account on a website selling digital templates to create realistic-looking fake identity documents, including US driver’s licenses, visas and passports.
The documents uncovered by the unit included 42 resumes for 14 identities, a fake U.S. green card, interview transcripts, and evidence that some workers purchased access to legitimate online profiles in order to appear more honest.
A “Richard” in Singapore who was looking for remote work in IT appears to refer to a fake profile as “Richard Lee” – the same name on his green card. The US Department of Homeland Security did not respond to a request for comment.
Reuters found a LinkedIn account for Richard Lee with the same profile photo that listed his experience at Jumio, a digital identity verification company.
A Jumio spokesperson said: “We have no records indicating that Richard Lee was a current or former employee of Jumio.” “Jumio has no evidence to suggest that the company ever had a North Korean employee among its workforce.”
Reuters sent a message to the LinkedIn account requesting comment, but did not receive any response. LinkedIn removed the account after receiving requests for comment from Reuters.
A company spokesperson said: “Our team uses information from a variety of sources to detect and remove fake accounts, as we did in this case.”
(Reporting by James Pearson) Additional reporting by Ted Hesson and Daphne Psalidakis in Washington (Editing by Chris Sanders and Anna Driver)
Our standards: Thomson Reuters Trust Principles.
“Lifelong food lover. Avid beeraholic. Zombie fanatic. Passionate travel practitioner.”