This article is the fourth of a series produced by the James Martin Center for Nonproliferation Studies (CNS) at the Middlebury Institute of International Studies exclusively for NK News. For this series, we’ve chosen to focus on the legal (mis)adventures of North Korean entities and individuals overseas. You can read part one here, part two here, and part three here.
Supply-chain management isn’t exactly the hottest of topics. But it is crucial to ensuring compliance with national and international sanctions regimes on North Korea.
To avoid potential penalties for prohibited transactions with North Korea, companies must know where they source components of their products from as well as where those products may end up.
It is nonetheless worth revisiting given the designation of North Korean cyber actors by the United States Office of Foreign Asset Control (OFAC) in September 2019.
Together, the designation and Executive Order effectively ban any engagement with North Korean cyber actors. While these are unilateral measures taken by the United States, they have international reach given the centrality of the United States financial system.
SUPPLY-CHAIN MANAGEMENT AND NORTH KOREA: NOTABLE CASES
Supply-chain violations usually start when someone, somewhere spots something out of place. Take New Zealand Customs Service v. Pacific Aerospace Limited.
That case stems from reporting by NK News(and subsequent follow-on by the UN Panel of Experts) on the participation of a plane manufactured by that company—the P-750 XSTOL—in the 2016 Wonsan Air Show.
The subsequent judgement in New Zealand court notes three key points: (1) New Zealand defines aircraft and their parts as luxury goods prohibited from being exported to North Korea, (2) the sale of the P-750 XSTOL to a Chinese company that then resold the plane to a company basing it in North Korea does not constitute a sanctions violation, and (3) the transfer of replacement parts to the second company with the knowledge that the plane was based in North Korea does constitute a sanctions violation. Pacific Aerospace Limited was ultimately fined NZD 74,805.
Alternatively, take e.l.f. Cosmetics—it reached a settlement agreement with OFAC in 2019 over its import of 156 shipments containing false eyelash kits with components originating in North Korea. These shipments violated the United States North Korea Sanctions Regulations (NKSR).
Once discovered by and were self-disclosed by e.l.f. Cosmetics, they were voluntarily disclosed. Under the settlement agreement, the company paid $996,080 and has taken (or took) steps to minimize the risk of recurrence of such conduct.
Both cases pertain to instances where companies cooperated with relevant authorities. In cases where companies do not cooperate or actively work to hinder investigations, penalties can be much greater.
The Chinese ZTE Corporation, for instance, was caught misleading investigators and deleting or concealing evidence of its transactions with North Korea.
This contributed to the combined penalty of $1.19 billion leveled against ZTE Corporation by the U.S. government in 2017 for exporting telecommunications items from the U.S. to Iran and North Korea.
But the fines aren’t the point. Rather, what these cases show is that products made even in the U.S. or its partner countries may find their way to North Korea and vice versa.
Since this is true for physical commodities like planes, false eyelashes, and telecommunications products, it is certainly true for digital products as well. Worse still, with digital wares, it may be more difficult to track the chain of custody for a specific piece of code.
NORTH KOREAN PARTICIPATION IN THE GLOBAL INFORMATION TECHNOLOGY INDUSTRY
In May 2018, my colleagues and I at the James Martin Center for Nonproliferation Studies (CNS) investigated North Korea’s IT industry. In our report, we noted that Future TechGroup—an IT company linked to Glocom, a front for North Korea’s export of military equipment—claimed to have supplied software to law enforcement in at least two countries.
We also found profiles on freelancing sites touting Future TechGroup products as examples of their work. The profiles won a number of contracts worldwide, including for clients in Europe and North America.
Subsequent reporting by C4ADS indicated the profiles on freelancer sites may have been linked to a North Korean-run company in Vietnam.
The global reach of North Korean IT companies… poses a distinct challenge to entities and individuals seeking to comply with sanctions on North Korea
The Future TechGroup case serves as a template for how companies or individuals in the U.S. and worldwide may, presumably unwittingly, source goods or services from North Korea’s IT industry.
A company is incorporated outside of North Korea, it then creates an online presence for itself to sell products worldwide, and—if necessary—reinvents itself to advertise under multiple names on different sites.
Yanbian Silverstar Network Technology Co. Ltd., an OFAC-designated company allegedly controlled and managed by North Korean nationals, appears to have used that same playbook.
Yanbian Silverstar appears to have served as publisher for a videogame called “ShadowCore” (see Figure 1). The game was sold on Steam, a digital distribution platform developed by Valve Corporation, a U.S.-based company. Valve Corporation removed the game around or by the time OFAC sanctioned Yanbian Silverstar.
Yanbian Silverstar also appears to have set up a web-based front. OFAC alleges that employees of Yanbian Silverstar rebranded as Russia-based Volasys Silver Star in order to “[…] most likely to facilitate the circumvention of identification requirements on freelance job fora and obfuscate the North Korean workers’ true nationality from clients.”
The site of this front is apparently <http://volasys.net/>; the address given by OFAC for the company can be found in this website’s source code (see Figure 2) though no corporate entity with the name Volasys Silver Star could be found in Russian corporate records.
The fact that these products have been removed from the app store suggests they were suspected as being linked to a North Korean front.
Apple and Valve Corporation in these cases serve as responsible exemplars for internet-based businesses. They took swift action to identify and de-platform potentially sanctioned individuals or entities.
But many internet-based businesses are less resourced, or may be less inclined, to diligently monitor sanctions designations (by the U.S. or otherwise) and make judgments on whether to de-platform individuals or entities that may fall afoul of sanctions regulations.
IMPLICATIONS FOR SANCTIONS COMPLIANCE
The global reach of North Korean IT companies—Future TechGroup and Yanbian Silverstar among them—poses a distinct challenge to entities and individuals seeking to comply with sanctions on North Korea.
Though the UN sanctions regime and the sanctions regimes of individual countries set different restrictions on engagement with North Korea’s IT sector, compliance relies on being able to identify what activity or entities may be linked to North Korea.
With digital wares, it may be more difficult to track the chain of custody for a specific piece of code
The legal cases noted in this article (those involving Pacific Aerospace Limited, e.l.f. Cosmetics, and ZTE Corporation) all involved the transfer of physical goods.
With those, there are—generally speaking—markers that can be used to verify the origin or destination of products. These include import/export declarations, shipment tracking (including AIS monitoring for shipments transported by sea), and payment details.
Transfers of intangible commodities like software don’t carry these same markers. They aren’t even subject to import/export declarations in the same way as physical goods.
While, theoretically, you can monitor the IP address associated with product uploads or downloads, those can be concealed through readily available technologies.
Similarly, while it may be possible to identify one’s interlocutor for a digital transaction, North Korea’s longstanding use of overseas front companies means this is insufficient.
Even after the December 2019 deadline for the repatriation of North Korean workers—including in the IT sector—overseas, North Korea will still likely retain control of front companies capable of receiving and making payments on its behalf.
In this context, it is incredibly important that countries faithfully implement their obligations under the UN sanctions regime.
If all North Koreans earning revenue overseas are repatriated to North Korea and countries shut down companies operating as intermediaries between North Korea and the global financial system, it may be possible to decrease the risk of global IT sales benefiting North Korea’s illicit activity.
This article is the fourth of a series produced by the James Martin Center for Nonproliferation Studies (CNS) at the Middlebury Institute of International Studies exclusively for NK News. For this series, we’ve chosen to focus on the legal (mis)adventures of North Korean entities and individuals overseas. You can read part one here, part two here, and part three here.Supply-chain management
Cameron Trainer is a Research Associate at the Washington, DC office of the James Martin Center for Nonproliferation Studies (CNS). His research is predominantly focused on the implementation, enforcement, and evaluation of the United Nations sanctions regime on North Korea. He is a certified anti-money laundering specialist and holds a M.A. (honors) from the University of St Andrews, where he studied International Relations and Russian.