North Korean Hackers Now Target Architecture Firms
▼ Summary
– North Korean IT workers have earned billions for their regime by taking remote jobs at Western tech firms, developing apps and infiltrating companies while sending earnings home.
– A cybersecurity report reveals these operatives have also been posing as freelance architects and engineers, expanding beyond tech into sensitive infrastructure fields.
– Files linked to the workers include 2D architectural drawings and 3D CAD files for US properties, along with fraudulent architectural stamps to certify compliance with regulations.
– Thousands of North Korean IT workers raise an estimated $250–600 million annually, with funds supporting the country’s nuclear programs and sanctions evasion.
– Researchers identified a GitHub account connected to the network that publicly shared Google Drive files containing false CVs, profile images, and details of fabricated personas used to find work.
For years, a sophisticated network of North Korean IT professionals has discreetly infiltrated Western technology companies through remote employment, generating billions in revenue for Pyongyang’s authoritarian leadership. These individuals have contributed to app development, cryptocurrency ventures, and even penetrated major corporations, systematically funneling their earnings back to North Korea. However, recent investigations reveal that their deceptive employment strategy now extends into an entirely new sector: architecture and civil engineering.
Cybersecurity analysts at Kela uncovered a cluster of workers posing as freelance structural engineers and architects. Their research, shared exclusively with WIRED, points to a coordinated group linked to North Korea that has been active in this field for several years. Files associated with these operatives included detailed 2D architectural drawings and 3D CAD models for properties located in the United States, indicating direct involvement in American construction and design projects.
Beyond producing technical plans, these individuals advertised a full suite of architectural services. Alarmingly, they also made use of, and in some cases created, official architectural stamps or seals. Such certifications are legally required to confirm that building designs comply with regional safety and construction codes, raising serious concerns about regulatory integrity and project safety.
Kela emphasized in a public blog post that these actors are not confined to the technology or cybersecurity domains. They have expanded into industrial design, architecture, and interior design, gaining access to confidential infrastructure projects and client data under completely fabricated identities. According to United Nations estimates, thousands of North Korean IT workers collectively earn between $250 million and $600 million annually, funds which directly support the nation’s nuclear weapons development and help it evade international sanctions.
The investigation began with a GitHub account tied to a suspected North Korean IT network. Researchers then expanded their analysis to connected online profiles and personas. This specific GitHub profile, along with related architectural work, was initially flagged earlier this year by DPRK researchers on the social media platform X. Microsoft, the parent company of GitHub, did not respond to requests for comment regarding the account or its alleged connections to North Korea.
A significant vulnerability was exposed when the GitHub account publicly listed a series of Google Drive folders, freely downloadable by anyone. These files provided a wealth of information about the scammers’ operations. Contents included specifics about ongoing projects handled by DPRK-linked accounts, multiple versions of falsified résumés, photographs likely used for fake profile pictures, and comprehensive background details for the false identities created to secure freelance work.
(Source: Wired)
