North Korea has been secretly selling facial recognition technology, fingerprint scanning and other products overseas. That's what researchers at the James Martin Center for Nonproliferation Studies found by investigating the country's information technology networks.
According to their recently released report, "North Koreans appear to have marketed virtual private networks (VPNs) and encryption software in Malaysia, sold fingerprint-scanning technology to large Chinese companies and parts of the Nigerian government, produced facial recognition software for law enforcement agencies via front operations, and built websites for myriad individual and corporate clients."
The researchers drew from open source intelligence over a period of months. And they found that through front companies, aliases and freelancing websites, the entities grew so good at concealing their connection to Pyongyang that they amassed unwitting clients "without raising any alarm bells that something is amiss."
Customers ranged from small European firms to "at least one reputable defense firm in a US-allied country" and possibly a U.S. primary school and law enforcement agencies. That means they may have unknowingly and indirectly paid the economically isolated country, which has been sanctioned for its nuclear weapons program.
One front company described in the report, Global Communications — a defense firm that was exposed in 2017 as being under the control of North Korean intelligence — set up a network of companies in Asia.
An affiliated company, Future TechGroup, sent up some red flags to the researchers: Cached versions of the site showed technology for mushroom-growing, which is popular in North Korea; there was Korean-language translation software and a video featuring a cover of the Rocky theme song, performed by a North Korean pop group for Kim Jong Un.
Researchers verified a Future TechGroup claim that it recently won a prestigious award for its facial recognition software at an international competition in Switzerland.
The software was entered into the competition by "a seemingly reputable not-for-profit entity in a US-allied country" that authors did not name out of concern and which they think was unaware of the North Korean connection.
Future TechGroup also advertised Web development projects with the U.S. school and said it sold facial recognition software to Turkish and other law enforcement agencies, which researchers could not verify.
A different IT company linked to Global Communications, called Adnet International, said it offers "biometrics identification techniques based on fingerprint, palm-print or face identification skills, artificial intelligence techniques." It also said its products were on sale in "China, Japan, Malaysia, India, Pakistan, Thailand, UAE, UK, Germany, France, Russia, Canada, Argentina, Nigeria and other countries."
Some businesses were still active while the researchers were authoring the report, they said.
The country developed computer science skills and cyberattack capabilities in the '80s and '90s, according to the Center for Strategic and International Studies.
Center for Nonproliferation Studies researchers said that North Korea's technology industry is a "significantly underappreciated problem," representing a continuous stream of revenue that may directly or indirectly benefit people or companies connected to North Korea's nuclear and missile programs.
"It is also unclear precisely how much of North Korea's IT activity the current sanctions net would catch," the report said.