North Korean Front Companies Impersonate U.S. IT Firms to Fund Missile Programs
Summary:
Security researchers at SentinelOne have provided a new analysis of components of the broader DPRK fake IT worker scheme. This scheme involves the Democratic People's Republic of Korea (DPRK) impersonating U.S.-based software and technology consulting businesses in order to further their financial objectives. SentinelLabs has identified unique characteristics of four websites associated with four DPRK IT Worker front companies that were seized by the US Government and leveraged them to link this cluster of activity to several front companies created in China that remain active today. SentinelLabs assesses with high confidence that these front companies are part of a larger set of organizations also created in China. Front companies, often based in China, Russia, Southeast Asia, and Africa, play a key role in masking the North Korean IT workers’ true origins and managing payments.
This SentinelOne report explores the four newly identified examples of DPRK IT Worker front companies all registered through NameCheap, a web hosting and domain registration company. All four of these front companies copy their website format from legitimate software development consulting companies. On October 10th, the US Government seized the four domains belonging to the four front companies above, disrupting their operations. Using details from these four companies, SentinelLabs was able to find multiple leads to an active network of DPRK IT front companies originating in China.
Using an address in a snapshot of Shenyang Tonywang Technology’s website from early 2024, SentinelOne identified an additional company that is highly close in proximity to the address. This additional company is Shenyang Huguo Technology Ltd. It uses the huguotechltd[.]com domain in a similar fashion to the previous four front companies and uses copied content from a legitimate Indian software company called Tatvasoft. The domain was also registered via NameCheap and continues to be hosted at 103.15.29[.]44. HopanaTech’s website, hopanatech[.]com, listed three contacts before it was taken down by law enforcement, one of them being Wang Kejia with the email address “tonywkj”. The Tonywkj@Hopana email address establishes a link between Wang Kejia, a real person who is a resident of the address in New Jersey and the “Tony WKJ LLC”. The HopanaTech website that lists the Tonywkj email address also lists Tong Yuze, the same name used as the corporate registrant for another front company Beijing Xiwang Technology. The assertion that this is another front company is reinforced by the fact that Beijing Xiwang Technology only pays insurance for one person. Tong Yuze is currently listed as the corporate registrant of 25 companies in China, including many real restaurant companies. Sentinel One hypothesizes that this collection of real businesses may be this individuals way of serving as a cut-out for the DPRK, providing cover for their illegal operations.
Security Officer Comments:
These schemes present more than just insider threat security risks to employers like intellectual property theft and malware implantation, they also present potential legal violation risks and reputational damage. Addressing these potential threats requires organizations to implement a stringent vetting process for potential employees to limit North Korea’s ability to exploit the global IT market. Analysis of their TTPs and the methods they use to appear more legitimate to targeted organizations is critical to developing a security posture that is effective at defending against similar threats.
Suggested Corrections:
https://thehackernews.com/2024/11/north-korean-front-companies.html
https://www.sentinelone.com/labs/dp..ive-front-companies-and-their-links-to-china/
https://www.sentinelone.com/blog/pinnacleone-execbrief-north-korean-it-worker-threat/
Security researchers at SentinelOne have provided a new analysis of components of the broader DPRK fake IT worker scheme. This scheme involves the Democratic People's Republic of Korea (DPRK) impersonating U.S.-based software and technology consulting businesses in order to further their financial objectives. SentinelLabs has identified unique characteristics of four websites associated with four DPRK IT Worker front companies that were seized by the US Government and leveraged them to link this cluster of activity to several front companies created in China that remain active today. SentinelLabs assesses with high confidence that these front companies are part of a larger set of organizations also created in China. Front companies, often based in China, Russia, Southeast Asia, and Africa, play a key role in masking the North Korean IT workers’ true origins and managing payments.
This SentinelOne report explores the four newly identified examples of DPRK IT Worker front companies all registered through NameCheap, a web hosting and domain registration company. All four of these front companies copy their website format from legitimate software development consulting companies. On October 10th, the US Government seized the four domains belonging to the four front companies above, disrupting their operations. Using details from these four companies, SentinelLabs was able to find multiple leads to an active network of DPRK IT front companies originating in China.
Using an address in a snapshot of Shenyang Tonywang Technology’s website from early 2024, SentinelOne identified an additional company that is highly close in proximity to the address. This additional company is Shenyang Huguo Technology Ltd. It uses the huguotechltd[.]com domain in a similar fashion to the previous four front companies and uses copied content from a legitimate Indian software company called Tatvasoft. The domain was also registered via NameCheap and continues to be hosted at 103.15.29[.]44. HopanaTech’s website, hopanatech[.]com, listed three contacts before it was taken down by law enforcement, one of them being Wang Kejia with the email address “tonywkj”. The Tonywkj@Hopana email address establishes a link between Wang Kejia, a real person who is a resident of the address in New Jersey and the “Tony WKJ LLC”. The HopanaTech website that lists the Tonywkj email address also lists Tong Yuze, the same name used as the corporate registrant for another front company Beijing Xiwang Technology. The assertion that this is another front company is reinforced by the fact that Beijing Xiwang Technology only pays insurance for one person. Tong Yuze is currently listed as the corporate registrant of 25 companies in China, including many real restaurant companies. Sentinel One hypothesizes that this collection of real businesses may be this individuals way of serving as a cut-out for the DPRK, providing cover for their illegal operations.
Security Officer Comments:
These schemes present more than just insider threat security risks to employers like intellectual property theft and malware implantation, they also present potential legal violation risks and reputational damage. Addressing these potential threats requires organizations to implement a stringent vetting process for potential employees to limit North Korea’s ability to exploit the global IT market. Analysis of their TTPs and the methods they use to appear more legitimate to targeted organizations is critical to developing a security posture that is effective at defending against similar threats.
Suggested Corrections:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs and State-sponsored actors. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2024/11/north-korean-front-companies.html
https://www.sentinelone.com/labs/dp..ive-front-companies-and-their-links-to-china/
https://www.sentinelone.com/blog/pinnacleone-execbrief-north-korean-it-worker-threat/