Misconfigured cloud server leaked clues of North Korean animation scam

The Register

https://www.msn.com/en-us/news/world/misconfigured-cloud-server-leaked-clues-of-north-korean-animation-scam/ar-AA1nukze?ocid=entnewsntp&pc=U531&cvid=f187eb73c1aa43f9b46190bf24268dcb&ei=93

Outsourcers outsourced work for the BBC, Amazon, and HBO Max to the
hermit kingdom

A misconfigured cloud server that used a North Korean IP address has led
to the discovery that film production studios including the BBC, Amazon,
and HBO Max could be inadvertently using workers from the hermit kingdom
for animation projects.…

The server – which according to think tank Stimson Center this week is
no longer being utilized – was discovered by the author of NK Internet
blog, Nick Roy, in late 2023.

The Stimson Center, together with Roy, analyzed the files that would
appear every day on the server's blog, according to a post on the think
tank's blog, 38 North, penned by Martyn Williams.

Many of those files included instructions for animation work and results
of that day’s work, uploaded by unknown individuals. Editing comments
and instructions were frequently written in Chinese, accompanied by a
Korean translation.

"This suggests a go-between was responsible for relaying information
between the production companies and the animators," alleged Williams.

Google-owned cyber security outfit Mandiant had a look at the access
logs and found most logins to the server were done over a virtual
private network (VPN), but there were also three from China and one from
Spain.

The researchers were able to identify a few of the projects – including
season 3 of Amazon Prime’s “Invincible”, plus Cartoon Network and HBO
Max's “Iyanu, Child of Wonder”. Files from BBC's Octonauts were found on
the server, but appeared completed, so it is not known if work on the
show was contracted out or if the files were there for other reasons.

Although documents do not explicitly name the organization, the
researchers suspects that the contractor doing the outsourced animation
was Pyongyang-based and state-sponsored animation company April 26
Animation Studio – also known as SEK Studio – which is subject to US
sanctions.

"There is no evidence to suggest that the companies identified in the
images had any knowledge that a part of their project had been
subcontracted to North Korean animators," asserted Williams.

He posited that additional relay servers probably exist for North Korean
orgs covertly engaging in other digital work such as software development.

North Korean citizens' efforts to earn money for the regime by posing as
IT workers are well documented. The United States has issued warnings
against the practice and advisories on how to protect against
inadvertently supporting Kim Jong Un's regime and slush fund.

In January, 38 North warned that cloud computing service providers
should take more care against unwittingly renting infrastructure to
North Korea. At the time, the org was more concerned about North Korean
access to AI infrastructure than hiring out its citizens as animators.

--
I've done good in this world. Now I'm tired and just want to be a cranky
dirty old man.

lol

No surprise. We never knew what hellhole the Work was coming back from.

Dimensional Traveler <dtravel@sonic.net> wrote:
> Misconfigured cloud server leaked clues of North Korean animation scam
>
> The Register
>
> https://www.msn.com/en-us/news/world/misconfigured-cloud-server-leaked-clues-of-north-korean-animation-scam/ar-AA1nukze?ocid=entnewsntp&pc=U531&cvid=f187eb73c1aa43f9b46190bf24268dcb&ei=93
>
> Outsourcers outsourced work for the BBC, Amazon, and HBO Max to the
> hermit kingdom
>
> A misconfigured cloud server that used a North Korean IP address has led
> to the discovery that film production studios including the BBC, Amazon,
> and HBO Max could be inadvertently using workers from the hermit kingdom
> for animation projects.…
>
> The server – which according to think tank Stimson Center this week is
> no longer being utilized – was discovered by the author of NK Internet
> blog, Nick Roy, in late 2023.
>
> The Stimson Center, together with Roy, analyzed the files that would
> appear every day on the server's blog, according to a post on the think
> tank's blog, 38 North, penned by Martyn Williams.
>
> Many of those files included instructions for animation work and results
> of that day’s work, uploaded by unknown individuals. Editing comments
> and instructions were frequently written in Chinese, accompanied by a
> Korean translation.
>
> "This suggests a go-between was responsible for relaying information
> between the production companies and the animators," alleged Williams.
>
> Google-owned cyber security outfit Mandiant had a look at the access
> logs and found most logins to the server were done over a virtual
> private network (VPN), but there were also three from China and one from
> Spain.
>
> The researchers were able to identify a few of the projects – including
> season 3 of Amazon Prime’s “Invincible”, plus Cartoon Network and HBO
> Max's “Iyanu, Child of Wonder”. Files from BBC's Octonauts were found on
> the server, but appeared completed, so it is not known if work on the
> show was contracted out or if the files were there for other reasons.
>
> Although documents do not explicitly name the organization, the
> researchers suspects that the contractor doing the outsourced animation
> was Pyongyang-based and state-sponsored animation company April 26
> Animation Studio – also known as SEK Studio – which is subject to US
> sanctions.
>
> "There is no evidence to suggest that the companies identified in the
> images had any knowledge that a part of their project had been
> subcontracted to North Korean animators," asserted Williams.
>
> He posited that additional relay servers probably exist for North Korean
> orgs covertly engaging in other digital work such as software development.
>
> North Korean citizens' efforts to earn money for the regime by posing as
> IT workers are well documented. The United States has issued warnings
> against the practice and advisories on how to protect against
> inadvertently supporting Kim Jong Un's regime and slush fund.
>
> In January, 38 North warned that cloud computing service providers
> should take more care against unwittingly renting infrastructure to
> North Korea. At the time, the org was more concerned about North Korean
> access to AI infrastructure than hiring out its citizens as animators.
>

--
The last thing I want to do is hurt you, but it is still on my list.