Submit your essay to the AI-Cybersecurity Essay Prize Competition by January 2, 2025.
The AI-Cybersecurity Essay Prize Competition
Read more
Main Logo Expert commentary on tech and security

Freelance cyber networks fuel North Korean nuclear ambitions

Chandana Seshadri 19 November 2024
Share On:
North Korean freelancers generate millions through global cyber platforms, bypassing sanctions to fund Pyongyang’s programmes
Main Top Image
Image created using Chat GPT-4o

North Korea is one of the states most heavily sanctioned by the UN Security Council. However, Pyongyang has persistently refined its sanctions evasion strategies to raise revenue for its nuclear and ballistic missile programmes. These strategies range from exploiting its diplomatic networks to engaging in cyber-theft, including a reported US$3 billion stolen from the cryptocurrency industry between 2017 and 2023. Now, information technology (IT) workers are adding to the revenue-generating apparatus sustaining the regime.

The mechanics 

North Korean IT workers have sophisticated, multi-layered approaches to evading detection and verification systems. Operating outside North Korea, predominantly in China and Russia and to a lesser extent in Southeast Asia and Africa, they exploit freelance work platforms by pretending to be foreign nationals. 

They are adept at sidestepping authentication and account verification processes by stealing identities or recruiting foreign partners to use their identities in exchange for a share of earnings. They establish direct contracts with clients to bypass freelance platforms and circumvent their verification systems. North Korean IT workers also set up proxies or front companies, further veiling their identities and origin.

 Documents from a recent US court case indicate that these workers use new technologies and digital tools to mask their identities and locations, such as virtual private networks (VPNs), virtual private servers (VPSs), and third-country IP addresses. Research from Google subsidiary cybersecurity firm Mandiant reveals advanced obfuscation methods, including remote access management tools, such as GoToRemote, TeamViewer, and RustDesk, to maintain anonymity. These technologies, combined with identity manipulation tools enhanced by artificial intelligence (AI), enable North Korean IT workers to exploit vulnerabilities in verification systems. Such was the case of US software company KnowBe4, which in July 2024 discovered that it had unknowingly hired an IT worker from North Korea. The software engineer had stolen someone’s identity and used AI-enhancement tools to create a fake picture from stock photographs to bypass identification checks.

The scale of North Korean IT work is alarming. As stated in a 2022 US advisory, these workers provide IT development work in areas as diverse as graphic animation, online gambling programmes, mobile games, and dating applications. South Korea’s National Intelligence Service reported in February 2024 that North Korean IT workers developed and sold software for online gambling platforms, earning up to US$5,000 per site and US$3,000 per month for maintenance – highlighting the profitability of their operations. According to the US advisory, some of these workers earn over US$300,000 annually and ‘teams of [them] can collectively’ surpass US$3 million per year. A large part of their salaries goes to the government in Pyongyang. 

Raising revenues is not the only part of their operations. North Korean IT workers have helped officials from the regime acquire proliferation-sensitive items. Software engineers are potentially dispatched abroad as part of state-run enterprises, such as the Munitions Industry Department, which oversees the country’s research and development of weapons and military equipment.

Security and business implications

North Korean IT workers pose a financial risk and security threat because they have access to sensitive corporate data. Although the services they provide may seem harmless at first, they provide an entry point that can be exploited to facilitate money laundering, cyber espionage, or other illicit activities. The KnowBe4 incident is illustrative. The impostor attempted to ‘manipulate session history files, transfer potentially harmful files, and execute unauthorised software’, highlighting the broader cyber risks inherent in hiring such freelance workers.

Beyond direct security threats, businesses face reputational damage and legal consequences, as the South Korean government has warned. The reputational and financial impact on businesses associated with these actors, from data breaches to loss of client trust, cannot be overstated.

Actioning a coordinated response

Effectively mitigating the risks posed by North Korean IT workers requires a shift from identifying vulnerabilities to implementing concrete, actionable measures. The fragmented enforcement of global sanctions is a critical issue. I reviewed several countries’ counter-proliferation finance efforts and found gaps in awareness of proliferation finance and the scale of North Korea’s sanctions evasion activities. Without understanding the problem’s magnitude, the implementation of sanctions becomes ineffective. Limited resources and inadequate legislative frameworks further weaken interagency cooperation, hindering a coordinated response. 

The freelance industry’s decentralisation poses distinctive challenges, demanding a revamp of vetting mechanisms for candidates, training on identifying trends, and mandatory procedures to scrutinise unverified remote access management tools – all unaddressed by existing counter-proliferation efforts. Compliance frameworks fail to account for the sophisticated identity obfuscation enabled by cutting-edge technology and system flaws. This oversight allows North Korean IT workers to exploit freelance platforms and remote work systems. 

For businesses, the rise of freelance work adds new dimensions of responsibility. Robust identity management systems and updated cybersecurity policies are now imperative, including establishing advance identity verification technologies to help with authentication, monitoring, and auditing processes. 

Raising awareness would disrupt these networks. Many businesses are oblivious to the tactics and risks associated with these IT workers. 

While some jurisdictions have issued advisories, other countries must follow suit to align their efforts. These advisories should be supported with detailed red-flag indicators, enabling businesses to identify potential threats and file timely reports. 

Jurisdictions with robust judicial mechanisms should play a pivotal role, actively blocking websites frequently used by North Korean IT operatives. This effort should be supported by establishment of clear communications channels between the public and private sectors to facilitate swift action. Capacity building initiatives, particularly through civil society organisations like RUSI’s Centre for Finance and Security, offer a unique platform to unite governments and businesses, fostering awareness and developing effective countermeasures. Without a coordinated and multi-sector response, the risks to both financial systems and international security will only escalate.

avatar
Chandana Seshadri

Related

Featured image
Hooked On Trends
Responsible tech business in conflict
Isabel Ebert / Timothy Charlton-Czaplicki 8 March 2024
Read more arrow
Featured image
Hooked On Trends
Fighting fake war imagery
Kye Allen 14 December 2023
Read more arrow
Featured image
Hooked On Trends
Drones enhance defences in the Ukraine war
Mauro Gilli / Niklas Masuhr 10 January 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by the European Cyber Conflict Research Incubator (“ECCRI CIC”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by ECCRI CIC.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants ECCRI CIC exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

ECCRI CIC, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify ECCRI CIC, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

ECCRI CIC reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond ECCRI CIC’s reasonable control impairs the integrity or proper functioning of the Competition, as determined by ECCRI CIC in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, ECCRI CIC reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.