Full Report
Kejia Wang and Zhenxing Wang established shell companies and hosted laptop farms to help operatives obtain jobs at more than 100 U.S. companies. The post US nationals sentenced for aiding North Korea’s tech worker scheme appeared first on CyberScoop.
Analysis Summary
# Threat Actor: DPRK IT Worker Conspiracy (Facilitated by Kejia Wang and Zhenxing Wang)
## Attribution & Identity
* **Actor Identification:** North Korean (DPRK) IT Workers.
* **Facilitators:** Kejia Wang (aka Tony Wang) and Zhenxing Wang (aka Danny Wang), U.S. nationals based in New Jersey.
* **Known Associations:** Operatives are linked to the Workers’ Party of Korea; some workers are tasked with aiding state-backed hacking groups (e.g., APT activity).
## Activity Summary
Between 2021 and October 2024, the actors orchestrated an elaborate scheme to plant North Korean operatives into remote IT positions at over 100 U.S. companies. By establishing shell companies and "laptop farms," the group bypassed employment verification and geographic restrictions to generate over $5 million in illicit revenue for the DPRK regime. Beyond financial gain, the campaign was used to exfiltrate sensitive defense data and maintain persistent access to high-value networks.
## Tactics, Techniques & Procedures
* **Identity Theft:** Stole the identities of at least 80 U.S. residents to pass background checks and "onboard" North Korean operatives.
* **Shell Companies:** Established front organizations to act as intermediaries for contracts and to launder salary payments back to North Korea.
* **Laptop Farms:** Hosted physical laptops at U.S. addresses to create the illusion that the workers were located domestically, bypassing IP geolocation security.
* **Remote Access:** Used remote desktop software to allow overseas DPRK operatives to control the domestic hardware.
* **Dual-Use Operations:** Leveraged legitimate employment access for malicious activity, including IP theft and intelligence gathering.
* **MITRE ATT&CK Mapping:**
* **T1136.003:** Create Account: Cloud Accounts (Service accounts for work)
* **T1078:** Valid Accounts (Using stolen identities)
* **T1090:** Proxy (Use of U.S. based laptops as proxies)
* **T1566:** Phishing/Social Engineering (Fraudulent hiring process)
* **T1021.001:** Remote Desktop Protocol
## Targeting
* **Sectors:** Software development, Defense, Finance, and general Information Technology.
* **Geography:** Primarily United States (specifically companies across 27 states and Washington D.C.).
* **Victims:**
* More than 100 U.S. companies.
* Multiple Fortune 500 companies.
* A California-based defense contractor (ITAR-controlled data was compromised).
## Tools & Infrastructure
* **Shell Companies:**
* Hopana Tech
* Tony WKJ
* Independent Lab
* **Technical Infrastructure:** Domestic "Laptop Farms" used to host remote-access sessions for overseas operators.
## Implications
This scheme possesses significant national security implications. Beyond providing a massive revenue stream for North Korea's weapons programs, it places state-sponsored operatives inside the internal networks of critical U.S. infrastructure and defense contractors. Unlike traditional external hackers, these operatives have "insider" status, allowing them to conduct intellectual property theft, maintain long-term persistence, or execute network disruptions with high privileges.
## Mitigations
* **Enhanced Identity Verification:** Implement robust, multi-factor, or video-based identity verification during the hiring process to ensure the person interviewed is the person working.
* **Workforce Monitoring:** Monitor for unusual login patterns, such as constant remote access to an employee laptop from within the same local network or unexpected use of remote desktop tools.
* **Hardware Control:** Ship corporate-managed hardware and strictly enforce "Zero Trust" policies that block unauthorized remote control software.
* **Background Checks:** Conduct deeper due diligence on third-party software development firms or front companies that appear "clean" but lack physical footprints or historical social presence.