Security
Headlines
HeadlinesLatestCVEs

Headline

North Korean Scammers Are Doing Architectural Design Now

New research shows that North Koreans appear to be trying to trick US companies into hiring them to develop architectural designs using fake profiles, résumés, and Social Security numbers.

Wired
#web#mac#google#microsoft#amazon#git#auth

Talented North Korean coders and developers have, for years, been getting hired for remote jobs at Western tech firms. Thousands of these so-called IT workers have earned billions for North Korea’s authoritarian regime by developing apps, working on cryptocurrency projects, and infiltrating Fortune 500 companies—when they get paid, they send their earnings home. But the scale and scope of these fraudulent job schemes likely extends beyond most people’s understanding.

New analysis of exposed online accounts and files linked to suspected Democratic People’s Republic of Korea (DPRK) digital laborers shows that at least one group has been working in a very different field: architecture and civil engineering. Over recent years, the cluster of workers has been masquerading as freelance structural engineers and architects, according to a report shared with WIRED by cybersecurity firm Kela, which dug into one network it links to North Korea.

Files linked to the alleged North Korean operatives show 2D architectural drawings and some 3D CAD files for properties in the United States, Kela researchers say. In addition to the plans, the scammers were also seen claiming to advertise a range of architectural services and using, or creating, architectural stamps or seals, which can act as legal certification that drawings follow local building regulations.

“These operatives are active not only in technology and cybersecurity but also in industrial design, architecture, and interior design, accessing sensitive infrastructure and client projects under fabricated identities,” Kela writes in a blog post. The United Nations estimates that thousands of IT workers raise between $250 million and $600 million for North Korea each year, with money being used to support the country’s nuclear weapons programs and sanctions evasion efforts.

Kela’s security researchers focused on a GitHub account linked to one suspected North Korean IT network, before analyzing further accounts and profiles. The GitHub profile, plus some connected personas and some architectural work, was first identified by DPRK researchers on X earlier this year. Github, which is owned by Microsoft, did not respond to WIRED’s request for comment about the account or suspected links to North Korea.

The GitHub account publicly listed a series of Google Drive files that could be downloaded by anyone and contained a treasure trove of information linked to the potential scammers. The files included details of work being pursued by the DPRK-linked accounts, duplicate and false CVs, images that could be used as profile pictures, and details of the personas used to find work.

“There were so many emails, data, and profiles that we saw,” says a Kela researcher who asked not to be named due to the sensitivity of the findings. “It was really massive,” they add, saying some spreadsheets appeared to show hundreds of email addresses that may have been used by the scammers. (Google had not responded to a request for comment at the time of writing).

Publicly available files reviewed by WIRED show the breadth—and productivity—of the suspected DPRK scammers and the links to potential architectural work. In most cases, the scammers appear to have been using freelance work websites to solicit potential jobs. Numerous text files within the documents—which sit alongside CVs—advertise the potential architectural services that people could purchase, with documents claiming architects are licensed across multiple (or sometimes all) states across the US. “We can provide you with all construction docs (site plan, structural analysis report, stamp) and we can help you to get permission for construction docs,” one text file says. Some files appear to show correspondence with people potentially seeking the work.

Files seen by WIRED also include floor plans and designs for a deck, a farm house, a custom tree house, swimming pools, and more. One text file appears to include a request asking if existing plans for a restaurant patio could be redrawn. WIRED could not immediately verify whether these plans had physically been drawn up by the alleged North Korean accounts or if any work was completed. However, previous reporting and other researchers indicate this could be possible.

The Kela researchers say that they reported their findings to the FBI and other law enforcement bodies. The FBI did not immediately respond to WIRED’s request for comment.

In July, Canadian public broadcaster CBC reported that the seal of one architect in Toronto had likely been altered and impersonated by North Korean IT workers and the details were included on plans not worked on by that architect. The architect told CBC that the signature used did not match his own and the seal contained differences to his official version. One document seen by WIRED in the cache of files listed websites for generating engineer and architect seals.

“The plans are being used and being built,” says Michael “Barni” Barnhart, a leading authority in North Korean hacking and cyber threats, who works for insider threat security firm DTEX. Along with other DPRK researchers, who call themselves a “Misfit” alliance, Barnhart has seen this cluster of workers conducting architectural work and says similar other efforts have been detected. “They will do the CAD renderings, they’ll do the drawings,” he says. “It’s not like a hypothetical—those physical things do exist out there.”

Barnhart—who previously found North Korean animators appearing to work on Amazon and Max shows—says that he has also seen potential front companies set up to help run the operations and provide a veneer of legitimacy. The findings raise questions about the quality of the structural work and concerns about safety, if structures are created in the physical world. “In some of our investigations, these plans and these products that they’re making for these remodels and renderings, they’re not getting good reviews,” Barnhart says. “We do have indications that also they’re being hired to do critical infrastructure.”

One 24-minute long screen recording seen by WIRED shows how the freelance operation could work. In the video, a person signs up to a freelance work website and sets up a new profile where they write that they are a “licensed structural engineer/architect in the USA.” They pick a profile image from a folder of potentially downloaded files, translate text between English and Korean, and access a Social Security number generator website during the sign-up process.

When their account is created, the video shows them start to message online requests for work, with one message saying: “I can provide you [sic] permit drawing plan set for your residential home design within a few days.”

Other screen recordings show the workers having conversations with potential clients, and in at least one instance there is a recording of an online call discussing possible work. The Kela researcher, who asked not be named for security reasons, says it appeared some prospective customers returned to the scammers after likely having work completed. The researchers say some kinds of work appeared to be priced from a few hundred dollars up to around $1,000 per job.

“This is an opportunistic nation,” DTEX’s Barnhart says. While many companies have started to figure out that North Korea’s IT workers are often applying for remote tech jobs, using false identities, deepfakes on video calls, and local workers to run their operations, they are consistently changing their approaches. Barnhart says it appears that architectural work has been successful for the alleged DPRK workers and that evidence shows the IT workers program can be more subtle than trying to get hired at companies.

“They’re moving to places where we’re not looking,” Barnhart says. “They’re also doing things like call centers. They’re doing HR and payroll and accounting. Things that are just remote roles and not necessarily remote hires.”

Wired: Latest News

'Happy Gilmore' Producer Buys Spyware Maker NSO Group