What We Learned Inside a North Korean Internet Server: How Well Do You Know Your Partners?
A misconfigured North Korean Internet cloud server has provided a fascinating glance into the world of North Korean animation outsourcing and how foreign companies might be inadvertently employing North Korean companies on information technology (IT) projects. The incident also underlines how difficult it is for foreign companies to verify their outsourced work is not potentially breaking sanctions and ending up on computers in Pyongyang.
A Month of Animation
The story begins in late 2023 with the discovery of a cloud storage server on a North Korean Internet Protocol (IP) address. The server, which appears no longer in use, had been incorrectly configured, making the daily flow of files into and out of this server viewable by anyone without a password.
North Korea employs such servers because the average IT worker inside the country does not have direct access to the Internet. Typically, an organization might have just one or two computers with Internet access; workers need approval to use them and are monitored while they do so.
The cloud server in question was discovered by Nick Roy, who runs the NK Internet blog. Together, throughout January this year, we observed files. Each day, a new batch of files would appear that included instructions for animation work and the results of that day’s work.
The identity of the person or persons uploading the files could not be determined.
Often the files contained editing comments and instructions in Chinese, presumably written by the production company, along with a translation of those instructions into Korean. This suggests a go-between was responsible for relaying information between the production companies and the animators.
For example, in the communication below, the animator is being asked to improve the shape of the character’s head.
The identity of the North Korean partner was never revealed in any of the documentation observed, but it is likely the April 26 Animation Studio, also known as SEK Studio. The Pyongyang-based organization is North Korea’s premier animation house, producing series for domestic television broadcasts, including the popular “Squirrel and Hedgehog” series.
It has previously worked on several international projects, including some with South Korean companies during the “Sunshine Policy” era in the early 2000s.
However, in 2016, the studio was sanctioned by the US Department of Treasury as a North Korean state-owned enterprise. The US government has twice laid additional sanctions on Chinese companies that have worked with the studio or acted as a go-between, once in 2021 and again in 2022.
Accessing the Server
Together with researchers from Mandiant, a computer security company owned by Google, access logs for the server were also examined.
They revealed several logins from Internet addresses associated with virtual private network (VPN) services, but among those that were not VPN-related was an IP address in Spain and three in China. Two of the Chinese addresses were registered to Liaoning Province, which neighbors North Korea and includes the towns of Dandong, Dalian and Shenyang.
All three cities are known to have many North Korean-operated businesses and are main centers for North Korea’s IT workers who live overseas.
Projects Identified
The files related to a range of projects, suggesting several animators were likely involved in the work.
Over the month we observed this traffic, the apparent identity of some of the projects became clear. They included:
- Season 3 of “Invincible,” an Amazon Original animated series produced by California-based Skybound Entertainment. A document on the server carried the name of the series and “Viltruminte Pants LLC,” which appears to be part of the Skybound group.
- “Iyanu, Child of Wonder,” an anime about a superhero created by Maryland-based YouNeek Studios and being produced and animated by Lion Forge Entertainment for airing in 2024 on HBO Max.
- “Dahliya In Bloom” (魔導具師ダリヤはうつむかない), a Japanese anime series scheduled to air from July 2024.
- Files named “猫” (Cat) that also carry the name of Ekachi Epilka, an animation studio in Hokkaido, Japan (Figure 1).
- Video files that appear to be from “Octonauts,” a BBC children’s cartoon. The files had no additional identifying information and appeared to be completed, so it is possible these were not worked on by the animators.
- An unidentified animation series with documents that refer to Dalian’s Shepherd Boy Animation (大连牧童动漫).
There is no evidence to suggest that the companies identified in the images had any knowledge that a part of their project had been subcontracted to North Korean animators. In fact, as the editing comments on all the files, including those related to US-based animations, were written in Chinese, it is likely that the contracting arrangement was several steps downstream from the major producers.
There were also several animation files that were never identified, files with video special effects editing instructions for what appeared to be a Chinese movie about basketball, and multiple Russian-language video files and PDFs related to the upkeep and care of horses.
The fact that the server was largely used to store files related to animation suggests that additional relay servers probably exist for North Korean organizations doing other work, such as software development.
Implications: Due Diligence Needed on IT Outsourcing
In mid-2022, the US government warned companies about the possibility of inadvertently hiring North Korean IT workers, including animators, when looking for remote contractors. An advisory warned that doing so could put the companies at risk of a breach of US and United Nations sanctions.
It noted North Korean workers frequently “misrepresent themselves as foreign (non-North Korean) or US-based teleworkers” and might use VPNs or other methods to make it appear as if they are from and residing in another country.
In response, it recommended that companies institute a number of safeguards such as better verification of work documents, video interviews, background checks and fingerprint login to ensure the workers hired are identified and remain the ones carrying out the work on the project.
Such checks are designed to ensure that the worker you hire is the one who does the work and not just a proxy for someone else.
Last year, US law enforcement agencies disclosed a case in which North Korean workers had paid someone in the US $400 per month to host four laptops on their Internet connection. The workers would access the laptops through remote desktop software and then get on to the American Internet. Analysis of the IP address would make it appear to be coming from a conventional US domestic service provider.
The case caused the US to update its guidance for spotting North Korean IT workers.
However, the ability of the North Korean studio to apparently continue working on international projects highlights the difficulty in enforcing current US sanctions in such a global industry. It also highlights the need for US animation companies to be much better informed about all the companies that are involved in their projects.