How Fake North Korean Companies Are Used to Mask Their True Agenda

A recent investigation has uncovered that individuals connected to Fake North Korea companies in the IT and tech consulting sectors are beign used to disguise their operations. These fake companies, often claiming to be based in the U.S., are being used to generate revenue to support North Korea’s government activities, including its missile programs.

You might be interested in: Hackers Behind Bitfinex Breach Face Justice

Many of these businesses are registered in countries like China, Russia, Southeast Asia, and Africa, according to security researchers from SentinelOne, Tom Hegel and Dakota Cary. These front companies help North Korean IT workers hide their real location and identity, making it harder to trace the money they earn back to its source.

Why Is This Happening?

The goal of these operations is to bypass international sanctions on North Korea by earning money illegally. These workers use fake identities to secure remote IT jobs with companies in the U.S. and other countries. A large portion of their earnings is then funneled back to North Korea to finance weapons programs.

For instance, a campaign called “Wagemole,” tracked by Palo Alto Networks Unit 42, shows how North Korean workers use these fake identities to infiltrate companies and send their earnings to the government.

The U.S. Response to the Threat

In October 2023, U.S. authorities shut down 17 websites that were pretending to be legitimate American IT service companies. These sites were being used by North Korean workers to apply for remote jobs and hide their true identities.

Investigations revealed connections to two companies, Yanbian Silverstar Network Technology Co. Ltd. and Volasys Silver Star, based in China and Russia. Payments from these activities were often funneled through online payment platforms and Chinese bank accounts, allowing the money to reach North Korea undetected.

How Fake North Korean Companies Operate

SentinelOne uncovered several fake IT service companies, all registered through NameCheap. These fake companies copied content, designs, and logos from legitimate firms to appear authentic.

Examples of these fake companies include:

• Inditech Lab LLC (inditechlab[.]com): Copied from other fake firms like Shenyang Tonywang Technology L TD.
• Huguo Technology Ltd (huguotechltd[.]com): Used plagiarized content from a real Indian software firm, TatvaSoft.

These tactics reveal a growing effort to exploit the global digital economy to fund North Korea’s government programs.

The Bigger Picture: Phishing and Malware Tactics

North Korean threat groups are also expanding their operations to include malware and insider threats. One such group, known as CL-STA-0237, has been linked to phishing attacks using malware-infected video conferencing apps. The group also exploited a small U.S. IT services company in 2022, securing jobs under false identities to spread malware during interviews.

Some reports suggest the group operates from Laos and has evolved from simply earning money to taking more aggressive actions, such as insider attacks and credential theft.

What Organizations Can Do to Stay Safe

To avoid falling victim to these schemes, experts recommend stronger vetting processes for contractors and employees. By carefully verifying identities and monitoring payment systems, companies can reduce the risk of supporting illicit activities unintentionally.

Closing Thoughts

North Korea’s use of fake IT companies highlights the need for organizations to remain vigilant. With evolving tactics like phishing and malware, businesses must implement robust security measures to protect themselves from these sophisticated threats.