Tennessee Man Helped DPRK Workers Get Jobs at US Orgs, Fund WMDs

  /     /     /  
Publicated : 23/11/2024   Category : security


Tennessee Man Helped DPRK Workers Get Jobs at US Orgs, Fund WMDs


US citizens play middleman between US companies and the North Korean government agents they unwittingly hire.



The US Department of Justice (DoJ) charged a Tennessee resident for helping North Koreans obtain IT jobs at US companies under false pretenses.
In August 2023, FBI agents raided the laptop farms 38-year-old Matthew Isaac Knoot operated out of his Nashville residences. From his laptops, North Korean and Chinese individuals overseas could connect to corporate networks in the US and UK, perform their jobs, and funnel their salaries back to their countrys ruling party. According to authorities, this money helps fund North Korean leader Kim Jong-Uns nuclear weapons programs.
For his farming,
Knoot has been charged
with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to cause the unlawful employment of aliens. Those charges carry a maximum penalty of 20 years in prison.
When the COVID-19 pandemic spurred companies to go remote, the Kim regime spotted an opportunity. Since then — and in Knoots case, since July 2022 — DPRK government agents have been
flooding the US job market
, with the aim of sending their lucrative earnings back to the government.
The operations have been growing more sophisticated year by year. As Mandiant’s North Korean threat hunting team leader Michael Barnhart explains, Therell be 10 people living in a house, with each person in the house running seven, eight, 10 profiles — getting seven, eight, 10 paychecks, 70 paychecks for one apartment. That money does stack up.
Another sign of improvement: Where once they mainly targeted
freelance tech jobs
, recently, these workers have been earning higher-level roles at specific companies. You see [they go for] a lot of senior lead-type engineering roles. Why? Thats who has the most access to data that you can extort, and you can sell, and you can let your buddies in to do stuff theyre looking to do, he says.
The DoJ has observed cases across some of the largest companies in the Fortune 500, spanning industries: finance, media, technology, cybersecurity, and more. At the same time, agents have also been known to infiltrate even small mom-and-pop operations.
At Black Hat, I talked to five different executives who had hired North Korean employees, reports Roger Grimes, data-driven defense evangelist at KnowBe4, which itself
accidentally hired a North Korean agent
just recently. One was a 20-person company, one was a 12-person company. Every company is subject to this sort of attack.
When a North Korean agent living in China or Russia applies for a US job, they don a stolen identity, plus a host of assumed personal assets: a pseudonymous email, social media account, payment account, online job site account, a fake personal website, and more. 
Next, they need a way to connect to corporate networks domestically. Thats where a US citizen comes into the picture. The lures, from what weve seen, have never been: Hey, Im a North Korean. Lets run this scam, Barnhart explains. Its You want to make a couple hundred bucks a day by just working from home? Things like that. We have a brand new startup company, but its overseas. Wed like for you to be the face of the franchise in the US.
Agents who worked through Knoots farm shared the persona of a real US citizen referred to by the DoJ as Andrew M. Once they landed a job, Andrew M. would direct companies to send their new work laptop to Knoots address. Upon receiving the laptop, Knoot would log in, connect to company networks, and, without permission, install remote desktop applications. These apps allowed North Koreans to connect from overseas, and earn more than $250,000 each per year, simply by performing their actual jobs.
Knoot, in turn, earned a monthly fee from a handler who went by the name Yang Di.
The case mirrors a
larger one revealed in May
, involving a middle-aged Arizona woman, a Ukrainian, and three other foreign nationals. That operation earned millions of dollars from more than 300 different companies.
There are certain characteristic signs that your applicant may not be who they claim they are.
A big commonality Ive heard from people was that the job seeker really has a hard time getting on camera. If the company asks them, they then have some excuse about why they cant, Grimes explains. 
Besides that, he adds, Theyll say they work for some big, valid company, but their references [always have] a Gmail or Hotmail address. Their profiles on LinkedIn and other websites have a staleness to them, a simpleness to them that doesnt look quite natural. If their company provides equipment, all of a sudden theyll say you need to ship it to another address that wasnt listed in their résumé or their application. They make up an excuse.
To try and pick out fake applicants, companies need to be on the lookout for signs like these and others — for example, applicants who provide Voice over Internet Protocol (VoIP) phone numbers. The number one thing for every company — I dont care what your size is — is you need to now think about and update your HR hiring practices to take into account these potential fake employees, Grimes says, and try to put in controls that make it harder for them to be successful.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Tennessee Man Helped DPRK Workers Get Jobs at US Orgs, Fund WMDs