The modern world is built on information technology and the reliance on IT is ever growing. Unfortunately, this reliance also provides opportunity for individuals to take advantage and look for ways to exploit systems and people for their own advantage. The North Korean regime is extremely good at being able to spot exploitation opportunities. Especially when it means providing funds for Kim Jong Un’s nuclear and ballistic weapons program.
North Korean IT workers
North Korea send thousands of IT workers overseas to countries including China & Russia. These IT workers then gain employment remotely with companies around the world, either directly or through contract IT companies. Not only is employing North Korean IT workers a breach of international sanctions, it is also extremely dangerous to the employing organization. Any degree of access given to the North Korean workers opens the potential for malicious intent and cyber activity. A recent example of this involves US security company named KnowBe4. The company was looking to hire a software engineer and hired an individual who turned out to be North Korean and was using a stolen US identity and immediately began loading malware onto a corporate device.
How do North Korean IT workers gain employment?
Back in 2022, the FBI, US Department of State & US Department of the Treasury released an advisory on North Korean IT workers that detailed some of the tactics used to trick companies and gain employment. These tactics include operating under fake or stolen identities and conspiring with US nationals to pose as US citizen. Recently, a man from Tennessee was arrested for allegedly running a laptop farm and providing North Koreans with US internet connections to enable their activity.
Moonstone Sleet
The lines between IT work and malicious cyber activity become very blurred when North Korea are involved. In May of this year, Microsoft released a detailed investigation into a new threat actor labelled Moonstone Sleet. Microsoft’s investigation noted that Moonstone Sleet actors were actively trying to gain employment in software development positions at legitimate companies but were also carrying out cyber attacks at the same time.
Pyongyang Papers can reveal that we believe a DPRK IT worker named Sin Chong Min manages a number of IT workers that have been conducting activity associated to Moonstone Sleet. Microsoft’s investigation also detailed the use of an online game called DeTankWar (AKA DeFiTankWar, DeTankZone TankWarsZone). The game looked legitimate and had a substantial social media presence but appears to be a fraudulent copy of the online game DeFiTankLand. The fraudulent website appeared to use a logo in the style of the legitimate website as well as some of the screenshots of the game play.
The website logos from the fraudulent DeTankZone & legitimate DefiTankLand websites
Large revenues
Our sources have informed us that Sin Chong Min is believed to be located on the North Korean/China border. Reports suggest that activity by the group is ongoing as recently investigated malicious packages displayed tactics, techniques & procedures (TTPs) aligned with Moonstone Sleets known activity. The latest report by the former UN DPRK Panel of Experts states that DPRK IT workers can earn the regime between $250 million & $600 million annually. This is a huge amount of revenue heading back to the regime when you consider this figure does not include other cyber activities such as cryptocurrency thefts.
The North Korean regime will always find ways to evade sanctions is pursuit of more advanced and lethal weapons. IT workers abroad will continue to play a pivotal role in this. Detection of North Korean IT workers such as Sin Chong Min maybe extremely difficult. Pyongyang Papers would urge any business looking to hire IT workers, to follow the May 2022 advisory and the updated guidance issued in October 2023 by the US and South Korea authorities.
If you have any additional information regarding Sin Chong Min or any other North Korean sanctioned activity, please get in touch through the ‘Contact Us’ page.