WTH? DPRK WFH Ransomware Redux: 3rd Person Charged

19

North Korean army of remote IT workers enabled by Matthew Isaac Knoot, alleges⁠ ⁠DoJ.

The U.S. Justice Department says N. Korean hackers are getting remote IT jobs, posing as Americans. They’re funneling their pay into Pyongyang’s nuclear weapons program and likely leaving ransomware infections. And the people helping them face jail.

If you’re feeling some déjà vu, that’s because the DoJ arrested the prime pair of purported perps in mid-May—this is now the third such arrest. In today’s SB  Blogwatch, we get busy.

Your humble blog­watcher curated these bloggy bits for your enter­tain­ment. Not to mention:  People are suffragettes.

친애하는 리더의 풀 리퀘스트

What’s the craic? Sergiu Gatlan reports: US dismantles laptop farm used by undercover North Korean IT workers

“North Korean malicious actor”
A DOJ press release says … Knoot, 38, helped North Koreans use a stolen identity to pose as Andrew M., a U.S. citizen, who provided housing for company-provided laptops, and helped launder payments for the remote IT work to North Korean and Chinese accounts. … “Without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers. … The remote desktop applications enabled the North Korean IT workers to work from locations in China, while appearing to the victim companies that ‘Andrew M.’ was working from … Nashville.”

Knoot is the second American arrested and charged with helping North Korea’s hackers. [It] emphasizes the ongoing danger presented by North Korean threat actors who impersonate U.S.-based IT staff, something that the FBI has warned about since 2023.

Last month, American cybersecurity company KnowBe4 revealed that they had hired a Principal Software Engineer who turned out to be a North Korean malicious actor who immediately attempted to install information-stealing software on company-provided devices. This happened even though KnowBe4 conducted background checks, verified references, and conducted four video interviews.

Not only American firms. Jonathan Greig adds colo[u]r: 20 years in prison

“Thousands of skilled IT workers”
A 38-year-old man from Nashville, Tennessee was charged … for his alleged role in helping the North Korean government get officials hired in IT roles at American and British companies. … According to the indictment, the workers used the stolen identity of a U.S. citizen.

The Justice Department said North Korea has sent thousands of skilled IT workers to live in China, Russia and other countries, with the end goal of obtaining employment. … The workers use fake emails, social media accounts, and a web of fake websites, proxy computers and third parties across the U.S. like Knoot.

The [DoJ] said each worker was paid more than $250,000 for their IT work. Knoot also paid taxes for the earnings under the stolen identity. If convicted, Knoot is facing a maximum sentence of 20 years in prison based on several charges including money laundering, wire fraud and identity theft.

How did the scam work? Here’s our own Jeffrey Burt: Another North Korean ‘Laptop Farm’

“AI”
Federal law enforcement is continuing to target participants in ongoing North Korean schemes. … The sophisticated scam … stole hundreds of thousands of dollars from organizations and caused another $500,000 in costs to remediate their PCs, networks, and other systems. [It] was one of a number of such scams being run by North Korean intelligence agencies.

The North Korean operatives will do the work for those businesses but also will send much of the money they earn back to the country’s leaders to bypass international sanctions and fund their nuclear and ballistic weapon programs. They also will install malware into their corporate-issued PCs to break into the network and steal information.

The fake IT workers use stolen identities and AI-altered photos to convince organizations to hire them. … The North Korean IT workers [would] appear as though they were working from Knoot’s home while actually being located in China.

How much did Knoot allegedly make? keltorsori read the full indictment, so we don’t have to:

It’s pretty dry, even for a fed grand jury indictment. … Interesting parts mostly being that he was only paid $15,100, despite having agreed to $500/per laptop/per month and 20% of net income. So he should have made out pretty well, but will likely be regretting everything for a long time.

No honor among thieves? Michael Hoffmann scoffs:

Versus the risk of 20 years in federal prison, … then he is an absolute and utter moron! … And for helping NK with weapons, I dare-say the sentencing guidelines will slew much more towards those 20 years than 2. If they find something constituting espionage, he’s leaving jail on the far side of retirement age, if ever.

How does such a thing happen? You say you want a u/Revolution4u, well, y’know, we all wanna change the world:

It’s not hard when so many Americans are being ground down with no chance of escape. Low income people are basically trapped in **** jobs — if someone even offers just the median salary, lots of people would take it and do this kind of thing. Especially since they don’t see anyone being directly harmed from it.

How could the employers not know? ctilsie242 wouldn’t be surprised if they did:

I wouldn’t be surprised if it were deliberate. With all the push for offshoring to the cheapest people possible, I wouldn’t be surprised if some companies knew they were moving work to the DPRK, via some offshore consultant company where the company would give enough plausible deniability.

Those people that were claimed to be from Bangalore would really be working out of Pyongyang. AFIAK, a consulting company in India could do this legally. … I wouldn’t be surprised if entire development teams and such are in North Korea, with the main company playing wink, wink, nod, nod.

Remind me why this is a security story? AusPeter gets sneaky:

The perfect way to execute a ransomware campaign is to be invited into a network via a job offer and not do anything nefarious until the time is right. Sure, these people were earning hard currency for NK to fund its state programs, but the network access makes it a potential twofer.

What are their working conditions like? u/Sasselhoff has seen it all before:

They were basically slaves for the North Korean government. I used to see them when I was living in China (there are some that were allowed to work outside of NK). They’d all be marched to work as a group, they’d all go home as a group, and they’d all go shopping together as a group.

Sure, they had a job and weren’t living in NK, but they didn’t get to keep the money they earned. It was all sent back to be used by the government. And what does the government use it for? To try and make nuclear bombs so they can play at the big kids table.

Meanwhile, enoch2001 wishes for harsher treatment of the accused man:

Uhhh, he’s only being charged with “wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to cause the unlawful employment of aliens”? How about betraying your country? Dude is a traitor … and should be tried as an enemy of the US people.

And Finally:

Wonderful sacrilege

Previously in And Finally

You have been reading SB  Blogwatch by Richi  Jennings. Richi curates the best bloggy bits, finest forums, and weird­est web­sites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past per­formance is no guar­antee of future results. Do not stare into laser with re­maining eye. E&OE. 30.

Image sauce: Roman Harak (cc:by-sa; leveled, cropped and macroed)





Images are for reference only.Images and contents gathered automatic from google or 3rd party sources.All rights on the images and contents are with their legal original owners.

Aggregated From –

Comments are closed, but trackbacks and pingbacks are open.