The FBI has taken down several websites used by North Korean operatives to pose as legitimate businesses from the US and India, likely as part of efforts to raise funds for the country’s nuclear program, according to both statements posted on the websites and investigations by cybersecurity researchers.
On Thursday, cybersecurity firm SentinelOne identified four websites as fronts for North Korea. These sites displayed notices in both English and Korean stating that they had been seized under a US District Court of Massachusetts warrant, part of a coordinated law enforcement initiative against the North Korean government. SentinelOne traced the companies behind the sites to a broader network of organizations based in China.
Biden administration tackles North Korean cyber threats with FBI support
The Biden administration has worked to address the growing security threat posed by these deceptive companies, a challenge that will continue under the incoming Trump administration. According to a White House official, cyberattacks and cryptocurrency theft have funded roughly half of North Korea’s missile program.
The websites operated by these front companies closely resembled those of legitimate US software and consulting firms and encouraged potential clients to reach out for services, SentinelOne’s analysis revealed.
A statement from the FBI, alongside other US law enforcement agencies, highlighted a 2022 warning that North Korea was leveraging thousands of IT workers abroad to covertly generate funds for the regime.
In an investigation that year, CNN revealed that North Korean operatives had attempted to infiltrate US cryptocurrency and tech firms by posing as workers from other countries. One entrepreneur told CNN that, based on information from the FBI, his company had unknowingly transferred tens of thousands of dollars to North Korea.
There are also indications that North Koreans may be receiving assistance from Americans. In May, US federal prosecutors charged an Arizona woman involved in a complex fraud scheme, which helped foreign IT workers pose as Americans and secure jobs with major US companies, generating $6.8 million in revenue that may have benefited Pyongyang.
“These front companies and websites are just the tip of the iceberg,” Tom Hegel, principal threat researcher at SentinelOne, said on Thursday. “What we’ve uncovered is only a small part of a much larger, deeply entrenched operation designed to operate in plain sight.” Hegel and his colleague Dakota Cary traced some of the fraudulent activities back to an address in Liaoning, a Chinese province that borders North Korea.
This is not the first time researchers have linked North Korean IT operations to northeast China. In April, CNN reported on a North Korean computer server containing files that appeared to have been created for US animation studios. Logs from that server indicated multiple connections from internet addresses in northeast China.
