North Korean IT Workers Exploit GitHub to Launch Global Cyber Attacks

A network of suspected North Korean IT workers is using GitHub to create and backstop fake personas, aiming to infiltrate companies globally, particularly in Japan and the United States.

DPRK-Linked Network Targets Companies in Japan and US

Cybersecurity firm Nisos has uncovered this operation, which appears to be part of Pyongyang’s efforts to fund its ballistic missile and nuclear weapons programs.

The network’s modus operandi involves creating elaborate backstories for these personas, claiming Vietnamese, Japanese, or Singaporean nationality.

These fictitious identities seek remote positions in engineering and full-stack blockchain development, leveraging GitHub to establish credibility.

Sophisticated Persona Creation and Digital Manipulation

The DPRK-affiliated actors have demonstrated a high level of sophistication in their persona creation.

They utilize digitally manipulated profile photos, often superimposing faces onto stock images to create the illusion of the individual working with colleagues.

These personas claim extensive experience in web and mobile application development, proficiency in multiple programming languages, and blockchain technology expertise.

To further solidify their online presence, the network creates accounts on various platforms, including employment websites, IT industry-specific freelance platforms, and software development tools.

However, they notably lack social media accounts, suggesting these personas are created solely for employment acquisition.

One such persona, operating under the names Huy Diep and HuiGia Diep, claims employment as a software engineer at Japanese consulting company Tenpct Inc since September 2023.

This persona’s GitHub account, nickdev0118, was found to have co-authored commits with another suspected DPRK IT worker account, AnacondaDev0120.

The investigation revealed that at least two personas from this network have successfully obtained employment at companies with fewer than 50 employees.

This success underscores the potential threat posed by these operations to smaller organizations that may lack robust vetting processes.

Nisos’s findings highlight the evolving tactics of North Korean cyber operations, demonstrating their ability to adapt and exploit legitimate platforms like GitHub for malicious purposes.

As these actors continue to refine their methods, businesses worldwide must remain vigilant and implement stringent verification processes to protect against such sophisticated employment fraud schemes.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free