The US Department of Justice (DoJ) has charged a Nashville resident for helping North Korean hackers gain positions at US and UK tech companies.
Matthew Isaac Knoot, 38, is accused of being responsible for the US-side of a campaign to get threat actors positions at prominent firms in a bid to steal information and extort ransoms.
Knoot was charged on 8 August for his “efforts to generate revenue for the Democratic People’s Republic of Korea’s illicit weapons program” according to the statement from the DoJ.
He was allegedly in charge of a laptop farm used by foreign adversaries to disguise their location to bypass geofences and other location-based security precautions.
Knoot is also accused of hosting company laptops at his residences in the US, downloading and installing remote desktop applications without authorization to continue their deception and facilitating access to corporate networks.
Matthew G. Olsen, assistant attorney general of the National Security Division, outlined how Knoot’s role helped fund the DPRK’s weapons program”
“As alleged, this defendant facilitated a scheme to deceive U.S. companies into hiring foreign remote IT workers who were paid hundreds of thousands of dollars in income funneled to the DPRK for its weapons program,” he explained.
“This indictment should serve as a stark warning to U.S. businesses that employ remote IT workers of the growing threat from the DPRK and the need to be vigilant in their hiring processes.”
Knoot’s charges include conspiracy to cause damage to protected computers, launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to cause the unlawful employment of aliens.
If convicted, he could face a maximum sentence of 20 years in a US federal prison, including a mandatory minimum of two years in prison on the count of aggravated identity theft.
Undercover North Korean hackers could be earning up to $300,000 per year
The advisory from the DoJ warned organizations in the US and UK that this case is part of a wider campaign where thousands of skilled IT workers have been dispatched by the DPRK to live in other regions with the aim of infiltrating foreign companies.
Henry C. Leventis, US attorney for the Middle District of Tennessee, said the indictment is the latest example of the DoJ’s work to protect US national security from cyber threats.
“Today’s indictment, charging the Defendant with facilitating a complex, multi-year scheme that funneled hundreds of thousands of dollars to foreign actors, is the most recent example of our office’s commitment to protecting the United States’ national security interests.”
Organizations have already been caught out by campaigns such as these. Last month, cybersecurity training firm KnowBe4 published a report detailing its own encounter with the program, outlining how it discovered it had inadvertently hired a North Korean hacker posing as a US-based software engineer.
Stu Sjouwerman, CEO of KnowBe4, authored an incident report detailing how the firm discovered the new hire had immediately started trying to load malware onto the firm’s systems as soon as he received his company workstation.
Luckily, the firm’s EDR software detected the malicious activity, flagged it to its SOC which quickly began an investigation, soon realizing the individual was nefarious.
Leventis offered some more detail on how the campaign is orchestrated from North Korea, using individuals in the US to assist in circumventing security precautions.
“North Korea has dispatched thousands of highly skilled information technology workers around the world to dupe unwitting businesses and evade international sanctions so that it can continue to fund its dangerous weapons program,”
A public service advisory from the FBI, Department of Treasury, and the Department of State, stated such IT workers have been known to earn large sums, earning up to $300,000 individually each year and generating hundreds of millions of dollars on an annual basis.