Researchers Reveal: North Koreans Secretly Animated Amazon and Max Shows

Matt Burgess

For almost a decade, Nick Roy has been scanning North Korea’s tiny internet presence, spotting new websites coming online and providing a glimpse of the Hermit Kingdoms’ digital life. However, at the end of last year, the cybersecurity researcher and DPRK blogger stumbled across something new: signs North Koreans are working on major international TV shows.

In December, Roy discovered a misconfigured cloud server on a North Korean IP address containing thousands of animation files. Included in the cache were animation cells, videos, and notes discussing the work, plus changes that needed to be made to ongoing projects. Some images appeared to be from an Amazon Prime Video superhero show and an upcoming Max (aka HBO Max) children’s anime.

The findings and security lapse detailed in a report by the Stimson Center think tank’s North Korea-focused 38 North Project, which helped analyze the findings along with Google-owned security firm Mandiant, provide a glimpse at how North Korea can use skilled IT and tech workers to raise funds for its heavily sanctioned regime. It also comes as US officials increasingly warn about North Korean IT workers infiltrating companies and their outsourcing.

North Korea’s internet is a small—and fragile—space. The repression-driven nation only owns 1,024 IP addresses and roughly 30 websites able to connect to the global internet. While there exists a limited internal intranet, merely a few thousand of the country’s 26 million populace are able to access the internet. When they do, it’s heavily regulated: These select few North Koreans can utilize the internet for an hour at a time and have a person sitting next them approving their use every five minutes.

Upon discovering the exposed cloud server, Roy noted it was being updated daily. Martyn Williams, a senior fellow on the 38 North Project who helped analyze the server’s contents, postulates the server likely facilitated work being sent to and from North Korean animators. The server is still live, but mysteriously ceased to be used at the end of February. Despite a login page, its contents can be accessed without a username and password. “I discovered the login page after stumbling upon all the exposed files,” mentions Roy.

Within, the files contained editing commentary and instructions in Chinese which had been translated into Korean, as the researchers note in their report. “We often found things like spreadsheets detailing the workflow in a lot of the animation files,” explains Williams. A sample of the files shared with WIRED present detailed anime images and video clips, with author notes and various file date stamps. In one instance, the report says, an animator was “instructed to improve the character’s head shape.”

Based on the documents and sketches, the researchers were able to identify some of the shows and projects the North Koreans were working on. These projects included work from season 3 of the Amazon show Invincible, produced by California-based Skybound Entertainment. Also, there were documents related to Max and Cartoon Network show Iyanu: Child of Wonder, produced by YouNeek Studios, plus files from a Japanese anime series and an animation studio in Japan.

Matt Burgess

Steven Levy

Matt Kamen

Matt Kamen

Some file names gave away clues about the series and episode numbers. There were also files and projects the researchers could not identify—including a “bunch of files” with videos of horses and a Russian book on horses, Williams says.

Sanctions placed upon the North Korean regime, for its ongoing human rights abuses and nuclear warfare programs, prohibit US companies from working with DPRK companies or individuals. However, the researchers say it is highly unlikely that any companies involved would have a clue about North Korean animators working on the shows, and there is nothing suggesting the companies violated any sanctions or other laws. “It is likely that the contracting arrangement was several steps downstream from the major producers,” the report says.

Spokespeople for Amazon and Max spokesperson declined to comment for this story. YouNeek Studios did not respond to a request for comment.

“We do not work with North Korean companies, or Chinese companies on Invincible, or any affiliated entities, and have no knowledge of any North Korean or Chinese companies working on Invincible,” a spokesperson for Skybound Entertainment says. “We take any claims very seriously and have commenced an investigation into this.” In a post on X, the company characterized the findings as “unconfirmed” and said it is working with authorities to investigate.

Williams suggests that a front company in China may be disguising North Korean activity. Access to the investigated server was observed from Spain and three Chinese cities associated with North Korean businesses and overseas IT workers, despite the majority of connections being concealed using a VPN.

According to William’s investigations, despite no direct evidence, North Korea’s renowned animation company, April 26 Animation Studio, also known as SEK Studio, fits the description. The studio was established in the 1950s, and has since contributed to numerous international TV shows and movies.

In recent times, SEK Studios, along with individuals and “front companies” linked to it have been sanctioned by the US Treasury Department for satisfying the interests of foreign clients, a lot of which have ties to China, according to the sanctions. The official statement following the 2021 sanctions report that these companies have been constituted to evade sanctions levied against the North Korean government, and to deceive global financial institutions.

Michael Barnhart, a researcher of North Korean affairs at Mandiant, suggests that these efforts are primarily aimed at raising funds for the North Korean regime. North Korean hackers and fraudsters have extracted billions by means of cyber malpractices in recent years to fund their military activities, which includes largescale cryptocurrency theft. At the beginning of 2022, the FBI issued a 16-page warning for companies against remote North Korean IT workers infiltrating their businesses for earning money that is ultimately directed homeward.

“The volume is much higher than we were expecting,” Barnhart says of North Korea’s IT workers. They are constantly changing their tactics to avoid being caught, he says. “We had one not too long ago, where during the interview, the person’s mouth was just off-frame. You could tell that someone in the background was speaking on their behalf.” Technically, Barnhart says, companies should verify their remote workers’ devices and make sure that there is no remote software connecting to a company laptop or network. Businesses should also put extra efforts at the hiring stage by training HR staff to detect possible IT workers.

However, he says, increasingly there is a greater crossover between North Korean IT workers and individuals who are members of known hacking groups or classified as advanced persistent threats (APTs). “The more we focus on IT workers, the more we’re starting to see APT operators and efforts blending in with those,” he says. “This might be the most quick learning-on-your-feet, nimble nation-state that I’ve ever seen.”

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

Unveiling of UK's First Quantum Computers by Rigetti and Oxford Instruments

Next Article

Reorganization of Embracer Group: Birth of Three New Companies

Related Posts