The inadvertent exposure of a misconfigured North Korean Internet cloud server sheds light on the realm of North Korean animation outsourcing and the potential involvement of foreign entities in North Korean IT projects. This incident underscores the challenges faced by foreign companies in verifying the compliance of their outsourced work with sanctions regulations, and the risk of it landing on computers in Pyongyang.
A Month of Animation Discovery
The narrative commences in late 2023 with the unearthing of a cloud storage server linked to a North Korean Internet Protocol (IP) address. This server, seemingly defunct, was inaccurately set up, rendering the daily influx and efflux of files accessible to anyone without authentication.
North Korea resorts to such servers due to limited Internet access for the average IT worker within the country. Typically, organizations possess just a handful of computers with Internet connectivity; usage requires authorization and is subject to monitoring.
The unattended cloud server came to light through the efforts of Nick Roy, curator of the NK Internet blog. Throughout January of the current year, we monitored the files. Each day, a fresh batch emerged, comprising directives for animation tasks and the corresponding outcomes.
The identity of the individual(s) responsible for uploading the files remained elusive.
The files often contained Chinese annotations and directives, presumably penned by the production company, along with Korean translations. This hints at an intermediary tasked with transmitting information between production entities and animators.
For instance, in the correspondence below, the animator is urged to refine the contour of the character’s head. The identity of the North Korean collaborator remained undisclosed in the observed documentation, though it’s probable it pertains to the April 26 Animation Studio, also known as SEK Studio. This Pyongyang-based entity stands as North Korea’s premier animation hub, crafting series for domestic TV broadcasts, including the renowned “Squirrel and Hedgehog” series.
While it has engaged in numerous international endeavors, including collaborations with South Korean firms during the “Sunshine Policy” period of the early 2000s, the studio incurred sanctions in 2016 from the US Department of Treasury as a state-owned enterprise of North Korea. The US government imposed additional sanctions on Chinese firms associated with the studio or serving as intermediaries, in both 2021 and 2022.
Penetrating the Server
In tandem with researchers from Mandiant, a Google-owned cybersecurity firm, the server’s access logs underwent scrutiny.
They unveiled multiple logins from Internet addresses linked to virtual private network (VPN) services. Notably, among the non-VPN logins was an IP address in Spain and three in China. Two of the Chinese addresses were traced to Liaoning Province, which borders North Korea and encompasses the towns of Dandong, Dalian, and Shenyang. These cities are renowned for hosting numerous North Korean-operated businesses and serve as key hubs for North Korean IT professionals residing overseas.
Projects Unveiled
The files pertained to a spectrum of projects, indicating the involvement of several animators.
Throughout the observed period, certain project identities became discernible. These encompassed:
- Season 3 of “Invincible,” an Amazon Original animated series produced by California-based Skybound Entertainment. Documentation on the server bore the series’ name and “Viltruminte Pants LLC,” presumably affiliated with the Skybound conglomerate.
- “Iyanu, Child of Wonder,” an anime featuring a superhero, created by Maryland-based YouNeek Studios and being produced and animated by Lion Forge Entertainment for broadcast on HBO Max in 2024.
- “Dahliya In Bloom” (魔導具師ダリヤはうつむかない), a Japanese anime slated for July 2024 release.
- Files labeled “猫” (Cat), also mentioning Ekachi Epilka, an animation studio in Hokkaido, Japan.
- Video files presumably from “Octonauts,” a BBC children’s cartoon. Lacking additional identification, it’s conceivable that these were not handled by the animators.
- An unidentified animation series with references to Dalian’s Shepherd Boy Animation (大连牧童动漫).
There is no indication that the identified companies were aware of subcontracting to North Korean animators. In fact, given that all editing remarks, including those pertaining to US-based animations, were scripted in Chinese, it is likely that the contractual relationship was several steps removed from the primary producers.
Additionally, several animation files remained unidentified, alongside files containing video special effects editing directives for a seemingly Chinese basketball-themed movie, and multiple Russian-language video files and PDFs concerning horse care.
The predominance of animation-related files on the server hints at the likelihood of additional relay servers for North Korean entities engaged in diverse endeavors, such as software development.
Implications: Rigorous Scrutiny Required for IT Outsourcing
In mid-2022, US authorities cautioned against the inadvertent employment of North Korean IT personnel, including animators, when seeking remote contractors. An advisory highlighted the potential exposure to breaches of US and United Nations sanctions.
It underscored the tendency of North Korean workers to masquerade as foreign or US-based telecommuters and employ VPNs or similar methods to project an alternate nationality and residence.
In response, companies were urged to implement various safeguards, including enhanced verification of work documents, video interviews, background checks, and fingerprint authentication, to ensure that contracted workers are indeed the ones undertaking the assigned tasks.
These measures aim to ascertain the identity of the worker executing the work, rather than merely serving as a proxy for another individual.
Last year, US law enforcement agencies disclosed an instance where North Korean workers remunerated an American intermediary $400 monthly to host four laptops on their Internet connection. These workers accessed the laptops via remote desktop software, presenting themselves on the American Internet. The manipulation of IP addresses concealed the true origin, simulating conventional US domestic service providers.
This case prompted an update to US guidelines for identifying North Korean IT personnel.
Nonetheless, the North Korean studio’s apparent continuation of international projects underscores the challenge in enforcing existing US sanctions within such a global industry. It emphasizes the imperative for US animation firms to attain comprehensive insights into all entities involved in their projects.
This article was originally published on 38north. Read the orignal article.
Frequently Asked Questions:
- Q: How did the discovery of the misconfigured server shed light on North Korean animation outsourcing?
- A: The server provided insight into the inner workings of North Korean animation production and its collaborations with foreign entities on IT projects.
- Q: What were some of the projects identified on the server?
- A: Projects included renowned series like “Invincible” and “Octonauts,” alongside lesser-known productions from various countries.
- Q: Why is there a need for stringent due diligence in IT outsourcing?
- A: Due to the risks associated with inadvertently engaging North Korean entities in IT projects, companies must implement robust verification processes to mitigate these risks.
- Q: What are the implications of the discovery for foreign companies?
- A: Foreign companies must exercise caution and implement enhanced scrutiny measures to ensure compliance with sanctions regulations and avoid inadvertent engagement with North Korean entities.
- Q: How can companies mitigate the risks associated with IT outsourcing?
A: By implementing stringent due diligence measures, including enhanced verification processes, background checks, and diligent monitoring of third-party engagements.