Top officials in the North Korean regime, including Kim Jong Un himself, have spent weeks in the global spotlight, participating in important discussions over how to reduce tensions on the Korean Peninsula. Yet despite those steps onto the world stage, North Koreans elsewhere are working hard to remain unseen.
In an era of intense sanctions, the country’s overseas business networks know that the more visible Pyongyang’s links are to their overseas trade and finance networks, the more external scrutiny they will invite. To avoid this, they have honed techniques that allow them—at first glance—to appear Chinese, Southeast Asian, or Russian. They leverage relations with foreign facilitators and middlemen, utilize opaque offshore jurisdictions, and create elaborate corporate structures. As a result, they have successfully managed to extend their networks around the world, and remain active in sectors where few even realize North Korea is a player.
The global information technologies (IT) sector is one. Over the last several months, the James Martin Center for Nonproliferation Studies carried out detailed investigations into North Korean IT networks active overseas, including in China, Russia, Southeast Asia, and Africa (PDF). We uncovered firms linked to Pyongyang that are developing and selling encryption technologies, virtual private networks, and software for fingerprint scanning or facial recognition. North Korea-linked IT firms are offering comprehensive IT packages for companies and developing apps or websites for customers who range from small firms in Europe to a U.S. primary school.
Take a drive in Turkey, and your license plate could be read by North Korea-developed vehicle recognition software. Put your finger on a scanner when entering certain parts of the civil service in one Nigerian state, and it could be captured by North Korean technology. The same possibility exists for fingerprint scanners in Asia, where there are indications that North Korean algorithms may have been incorporated into the supply chains of major producers of that hardware.
North Korea’s activity in the global IT sector is a significantly underappreciated problem with several dimensions. It represents another source of continued revenue for North Korea. At present, Pyongyang is not prohibited from providing these sorts of services per se; U.N. sanctions have focused mostly on banning the export of North Korean material goods, including electronics.
While sanctions prohibit North Korea from sending migrant laborers overseas, it is unclear to what extent North Korea actually relies upon this practice for its IT business. Several of the Pyongyang-linked individuals and firms we identified purported to have hundreds of employees or large numbers of developers at their disposal, despite other indications that they are small operations. This suggests that the staff carrying out the work may be based elsewhere, potentially in North Korea itself; networks overseas may simply be the vehicle by which to generate new contracts for North Korean developers back home.
Sanctions would be relevant if specific designated individuals or entities are involved. During our investigations, we found several IT firms within networks directly linked to North Korea’s sanctioned intelligence agency, the Reconnaissance General Bureau. But these ties are extremely well hidden. Few countries are likely to perform the sort of in-depth investigations that will help them confirm that a particular IT company is linked to a sanctioned entity. An IT company in Malaysia remains an active entity despite the fact that one of its shareholders was publicly exposed as a North Korean intelligence agent over a year ago.
Adopting sanctions on North Korean IT services generally would provide a more straightforward basis for investigation and action, and there are indications that the sanctions conversation could move in this direction if ongoing diplomatic efforts fail to bring about a change in North Korean behavior at home and abroad.
The U.S. Treasury sanctioned the Korea Computer Center last year, and President Donald Trump’s September 2017 Executive Order explicitly mentions the authority to sanction individuals and entities linked to North Korean IT operations.
Even with these steps, restricting North Korea’s activity in the global IT sector may be difficult to operationalize for the simple reason that intangible forms of revenue generation are harder to tackle than tangible ones. No opportunities for the physical interdiction of the export exist, and even countries with the most sophisticated export control arrangements still struggle to address the issue of intangible technology transfers.
As in other parts of their overseas activity, North Korean IT networks are spectacularly good at concealing overt links to Pyongyang. One company website advertising IT services, for instance, revealed only a few clues that it was North Korean: advertising for Korean language translation software, a mention of mushroom growing technology (North Korea loves its mushroom farms), and the use of a North Korean girl band’s version of the Rocky theme tune as the track for the marketing video. An untrained eye (or ear) will not notice those details.
In most cases, North Korea’s clients are probably unwitting, a dynamic reinforced by Pyongyang’s apparent use of freelancing websites to generate new IT work. Throughout our research, we continually discovered related profiles for developers on Freelancer.com and Guru.com, which parties that appear to have links to North Korea are using to identify potential clients. It is easy to mask identities on these sorts of sites, and interaction is impersonal, reducing the chance that a prospective customer will detect anything amiss.
Finally, and perhaps of most concern, North Korea’s activity could pose a cyber security risk to the public or private sector entities that outsource their IT work to the country, knowingly or unknowingly. The level of access the IT providers would have to their clients’ information and systems ultimately depends upon the services provided, but in some cases it could be substantial.
North Korea, after all, has been credited with the attempted theft of nearly one billion dollars from Bangladesh’s account at the Federal Reserve Bank of New York and the worldwide WannaCry malware attacks. It has clearly shown that if it has the opportunity to exploit its prowess in cyberspace to its own benefit, it will.
Awareness of these issues specifically, and North Korea’s activities in the IT sector generally, needs to improve quickly. Multilateral and unilateral sanctions on some of the main nodes in North Korea’s IT networks would be a start and would simultaneously help address both the cyber threats posed by North Korea and the continued revenue that IT exports generate. Guidance to parts of the private sector that are particularly at risk—such as those operating in the market for biometric identification software—is also worthwhile. Without such attention, North Korea’s networks will likely remain out of sight, and out of mind.
Andrea Berger is a Senior Research Associate at the Middlebury Institute of International Studies at Monterey, where Cameron Trainer is a Research Associate. Their new report, "The Shadow Sector: North Korea's Information Technology Networks," is available here.