A recent data leak has unveiled the daily operations of a group of North Korean IT workers, revealing their meticulous job-planning processes and the intense surveillance they are under. This information, gathered by a cybersecurity expert, highlights the structured approach the workers take to secure jobs in international markets, with significant financial contributions flowing back to North Korea.
For years, North Korea has sent skilled programmers abroad, allowing them to find remote work and send back an estimated $250 million to $600 million annually, according to UN figures. The leaked data includes emails, spreadsheets, and chat logs from platforms like Google and GitHub, illustrating how these workers manage their job applications and earnings.
Among the trove of leaked information are structured documents that detail every aspect of their operations, including fake identities used for job applications, laptops used, and methods for tracking potential employment opportunities. Notably, the data indicates that these workers are heavily reliant on U.S.-based tech services, which they use to navigate the employment landscape.
The researcher, known as SttyK, disclosed their findings at the Black Hat security conference in Las Vegas, asserting that this is the first time such detailed internal workings have been made public. SttyK explained that the dataset is extensive, containing thousands of emails and other records that outline job opportunities alongside specific coding skill sets that the group possesses.
Evidence within the documents suggests that the workers are organized into subgroups reporting to a central authority, often referred to as a “master boss.” The spreadsheets reflect a high level of professionalism, showing meticulously maintained records of job budgets, types of work being pursued, and even performance metrics.
A deeper dive into the spreadsheets reveals that the group is engaged in a variety of tech-related activities, from AI and blockchain to web development. Each sector has an assigned budget, and their earnings are tracked to ensure efficiency. As highlighted by cybersecurity experts reviewing the data, this operation shares similarities with North Korea’s notorious hacking groups, known for their sophisticated cyber-attacks.
Despite the serious implications of this operation, the individual lives of the workers illustrate a stark contrast to the grim realities faced by many in North Korea. Reports of camaraderie among workers, including activities like volleyball tournaments and birthday celebrations, were noted in the leaked communications, painting a picture of their day-to-day lives outside of their cybercriminal roles.
The revelation of this elaborate framework demonstrates not just the audacity of North Korean IT operations but also their growing sophistication in technology use. As companies like GitHub, Google, and Slack take measures to combat illicit activities linked to these workers, the implications for cybersecurity and international relations remain significant.
