What We Learned Inside a North Korean Internet Server: How Well Do You Know Your Partners?
我们在朝鲜互联网服务器中学到了什么:你对你的合作伙伴了解多少?
A misconfigured North Korean Internet cloud server has provided a fascinating glance into the world of North Korean animation outsourcing and how foreign companies might be inadvertently employing North Korean companies on information technology (IT) projects. The incident also underlines how difficult it is for foreign companies to verify their outsourced work is not potentially breaking sanctions and ending up on computers in Pyongyang.
配置错误的朝鲜互联网云服务器让我们得以一睹朝鲜动画外包的世界,以及外国公司如何无意中雇用朝鲜公司从事信息技术 (IT) 项目。该事件还突显出,外国公司很难核实其外包工作是否可能违反制裁并最终出现在平壤的计算机上。
A Month of Animation 一个月的动画
The story begins in late 2023 with the discovery of a cloud storage server on a North Korean Internet Protocol (IP) address. The server, which appears no longer in use, had been incorrectly configured, making the daily flow of files into and out of this server viewable by anyone without a password.
故事始于 2023 年底,当时在朝鲜互联网协议 (IP) 地址上发现了云存储服务器。该服务器似乎已不再使用,但配置不正确,导致任何人无需密码即可查看每天进出该服务器的文件流。
North Korea employs such servers because the average IT worker inside the country does not have direct access to the Internet. Typically, an organization might have just one or two computers with Internet access; workers need approval to use them and are monitored while they do so.
朝鲜之所以使用此类服务器,是因为该国的普通 IT 员工无法直接访问互联网。通常,一个组织可能只有一台或两台可以访问 Internet 的计算机;工人需要获得批准才能使用它们,并且在使用时受到监控。
The cloud server in question was discovered by Nick Roy, who runs the NK Internet blog. Together, throughout January this year, we observed files. Each day, a new batch of files would appear that included instructions for animation work and the results of that day’s work.
存在问题的云服务器是由 NK 互联网博客的运营者 Nick Roy 发现的。今年一月,我们一起观察了文件。每天都会出现一批新的文件,其中包括动画工作的说明和当天的工作结果。
The identity of the person or persons uploading the files could not be determined.
无法确定上传文件的人员身份。
Often the files contained editing comments and instructions in Chinese, presumably written by the production company, along with a translation of those instructions into Korean. This suggests a go-between was responsible for relaying information between the production companies and the animators.
这些文件通常包含中文编辑评论和说明(大概是由制作公司编写的),以及这些说明的韩语翻译。这表明中间人负责在制作公司和动画师之间传递信息。
For example, in the communication below, the animator is being asked to improve the shape of the character’s head.
例如,在下面的沟通中,动画师被要求改善角色头部的形状。
图 1. 中文评论已翻译成韩文的文档屏幕截图。
The identity of the North Korean partner was never revealed in any of the documentation observed, but it is likely the April 26 Animation Studio, also known as SEK Studio. The Pyongyang-based organization is North Korea’s premier animation house, producing series for domestic television broadcasts, including the popular “Squirrel and Hedgehog” series.
观察到的任何文件中都没有透露朝鲜合作伙伴的身份,但很可能是 April 26 Animation Studio,也称为 SEK Studio。这家总部位于平壤的组织是朝鲜首屈一指的动画公司,为国内电视广播制作系列节目,包括广受欢迎的“松鼠与刺猬”系列。
It has previously worked on several international projects, including some with South Korean companies during the “Sunshine Policy” era in the early 2000s.
该公司此前曾参与过多个国际项目,其中包括 2000 年代初“阳光政策”时期与韩国公司合作的一些项目。
However, in 2016, the studio was sanctioned by the US Department of Treasury as a North Korean state-owned enterprise. The US government has twice laid additional sanctions on Chinese companies that have worked with the studio or acted as a go-between, once in 2021 and again in 2022.
然而,2016年,该工作室被美国财政部制裁为朝鲜国有企业。美国政府已两次对与该工作室合作或充当中间人的中国公司实施额外制裁,一次是在 2021 年,另一次是在 2022 年。
图 2.2020 年 11 月 27 日朝鲜中央电视台看到的平壤 4 月 26 日动画工作室总部。
Accessing the Server 访问服务器
Together with researchers from Mandiant, a computer security company owned by Google, access logs for the server were also examined.
还与谷歌旗下计算机安全公司 Mandiant 的研究人员一起检查了服务器的访问日志。
They revealed several logins from Internet addresses associated with virtual private network (VPN) services, but among those that were not VPN-related was an IP address in Spain and three in China. Two of the Chinese addresses were registered to Liaoning Province, which neighbors North Korea and includes the towns of Dandong, Dalian and Shenyang.
他们披露了多个与虚拟专用网络 (VPN) 服务相关的互联网地址登录信息,但与 VPN 无关的登录信息包括一个位于西班牙的 IP 地址和三个位于中国的 IP 地址。其中两个中国地址注册为辽宁省,该省毗邻朝鲜,包括丹东、大连和沈阳等城镇。
All three cities are known to have many North Korean-operated businesses and are main centers for North Korea’s IT workers who live overseas.
众所周知,这三个城市都有许多朝鲜经营的企业,也是居住在海外的朝鲜 IT 工人的主要中心。
Projects Identified 已确定的项目
The files related to a range of projects, suggesting several animators were likely involved in the work.
这些文件与一系列项目相关,表明几位动画师可能参与了这项工作。
Over the month we observed this traffic, the apparent identity of some of the projects became clear. They included:
经过一个月的观察,我们发现了一些项目的明显特征。其中包括:
- Season 3 of “Invincible,” an Amazon Original animated series produced by California-based Skybound Entertainment. A document on the server carried the name of the series and “Viltruminte Pants LLC,” which appears to be part of the Skybound group.
《无敌》第三季,亚马逊原创动画系列,由加利福尼亚州 Skybound Entertainment 制作。服务器上的一份文件包含该系列的名称和“Viltruminte Pants LLC”,该公司似乎是 Skybound 集团的一部分。 - “Iyanu, Child of Wonder,” an anime about a superhero created by Maryland-based YouNeek Studios and being produced and animated by Lion Forge Entertainment for airing in 2024 on HBO Max.
《Iyanu,奇迹之子》是一部关于超级英雄的动画,由马里兰州的 YouNeek Studios 创作,由 Lion Forge Entertainment 制作和动画化,将于 2024 年在 HBO Max 播出。 - “Dahliya In Bloom” (魔導具師ダリヤはうつむかない), a Japanese anime series scheduled to air from July 2024.
日本动画系列《魔导具师ダリヤはうつむかない》计划于 2024 年 7 月起播出。 - Files named “猫” (Cat) that also carry the name of Ekachi Epilka, an animation studio in Hokkaido, Japan (Figure 1).
名为“猫”(Cat)的文件也带有日本北海道动画工作室 Ekachi Epilka 的名字(图 1)。 - Video files that appear to be from “Octonauts,” a BBC children’s cartoon. The files had no additional identifying information and appeared to be completed, so it is possible these were not worked on by the animators.
视频文件似乎来自英国广播公司 (BBC) 儿童动画片《海底小纵队》。这些文件没有额外的识别信息,并且似乎已完成,因此动画师可能没有处理这些文件。 - An unidentified animation series with documents that refer to Dalian’s Shepherd Boy Animation (大连牧童动漫).
一部身份不明的动画系列,其中包含有关大连牧童动漫的文件。
图 3.《Invincible》制作框架的屏幕截图。
There is no evidence to suggest that the companies identified in the images had any knowledge that a part of their project had been subcontracted to North Korean animators. In fact, as the editing comments on all the files, including those related to US-based animations, were written in Chinese, it is likely that the contracting arrangement was several steps downstream from the major producers.
没有证据表明图像中识别的公司知道他们的部分项目已分包给朝鲜动画师。事实上,由于所有文件(包括与美国动画相关的文件)的编辑评论都是用中文编写的,因此承包安排很可能是在主要制作商的下游几个步骤。
There were also several animation files that were never identified, files with video special effects editing instructions for what appeared to be a Chinese movie about basketball, and multiple Russian-language video files and PDFs related to the upkeep and care of horses.
还有几个从未被识别的动画文件、带有似乎是一部中国篮球电影的视频特效编辑说明的文件,以及多个与马匹保养和护理相关的俄语视频文件和 PDF。
The fact that the server was largely used to store files related to animation suggests that additional relay servers probably exist for North Korean organizations doing other work, such as software development.
该服务器主要用于存储与动画相关的文件这一事实表明,朝鲜组织可能存在额外的中继服务器来从事其他工作,例如软件开发。
图 4. 2020 年 11 月 27 日朝鲜中央电视台看到,4 月 26 日动画工作室的一名朝鲜动画师正在制作计算机动画软件。
Implications: Due Diligence Needed on IT Outsourcing
影响:IT 外包需要尽职调查
In mid-2022, the US government warned companies about the possibility of inadvertently hiring North Korean IT workers, including animators, when looking for remote contractors. An advisory warned that doing so could put the companies at risk of a breach of US and United Nations sanctions.
2022 年中期,美国政府警告各公司在寻找远程承包商时可能会无意中雇用朝鲜 IT 工人,包括动画师。一份咨询警告称,这样做可能会使这些公司面临违反美国和联合国制裁的风险。
It noted North Korean workers frequently “misrepresent themselves as foreign (non-North Korean) or US-based teleworkers” and might use VPNs or other methods to make it appear as if they are from and residing in another country.
报告指出,朝鲜工人经常“谎称自己是外国人(非朝鲜)或美国的远程工作人员”,并可能使用 VPN 或其他方法让自己看起来像是来自另一个国家并居住在另一个国家。
In response, it recommended that companies institute a number of safeguards such as better verification of work documents, video interviews, background checks and fingerprint login to ensure the workers hired are identified and remain the ones carrying out the work on the project.
对此,它建议公司采取一系列保障措施,例如更好地验证工作文件、视频面试、背景调查和指纹登录,以确保所雇用的工人得到识别,并始终是执行该项目的工人。
Such checks are designed to ensure that the worker you hire is the one who does the work and not just a proxy for someone else.
此类检查旨在确保您雇用的工人是从事这项工作的人,而不仅仅是其他人的代理人。
Last year, US law enforcement agencies disclosed a case in which North Korean workers had paid someone in the US $400 per month to host four laptops on their Internet connection. The workers would access the laptops through remote desktop software and then get on to the American Internet. Analysis of the IP address would make it appear to be coming from a conventional US domestic service provider.
去年,美国执法机构披露了一起案件,朝鲜工人每月向某人支付 400 美元,让其在其互联网连接上托管四台笔记本电脑。工作人员可以通过远程桌面软件访问笔记本电脑,然后访问美国互联网。对 IP 地址的分析表明它似乎来自传统的美国国内服务提供商。
The case caused the US to update its guidance for spotting North Korean IT workers.
此案促使美国更新了关于发现朝鲜 IT 工人的指南。
However, the ability of the North Korean studio to apparently continue working on international projects highlights the difficulty in enforcing current US sanctions in such a global industry. It also highlights the need for US animation companies to be much better informed about all the companies that are involved in their projects.
然而,朝鲜工作室显然继续从事国际项目的能力凸显了在这样一个全球行业中执行美国当前制裁的难度。它还强调美国动画公司需要更好地了解参与其项目的所有公司。