Fraudulent IT Workers in North Korea May Pose a Cyberthreat to Your Business

The digital age has ushered in unprecedented opportunities for global collaboration and remote work, but it has also opened doors for a particularly insidious cyberthreat: fraudulent IT workers in North Korea. Trained and deployed by the regime, these individuals skillfully infiltrate legitimate companies under the guise of freelance or remote work, posing a significant risk to sensitive information, intellectual property, and financial assets. In addition, they fund the regime in various ways.

These cyberthreats can have a serious impact on your business. In one recent case, an IT worker scam uncovered by the FBI cost victim companies more than $500,000 associated with auditing and securing their devices, systems, and networks after the IT workers were discovered. That is on top of the hundreds of thousands of dollars paid to these fraudulent workers through their salaries. Guidance from the State Department, Treasury Department, and FBI show that, in some cases, these teams can collectively earn more than $3 million annually. 

Further complicating the threat landscape is the blending of these IT workers with North Korean Advanced Persistent Threat (APT) groups that are behind large cyberattacks, making the need for vigilance and proactive measures even more crucial for HR leaders, hiring managers, and executives alike.

Highly proficient in various IT disciplines, these workers expertly exploit the demand for remote talent. They can pose as freelancers from other countries, such as Vietnam, and recruit individuals in the host nation, such as the U.S., to facilitate operations, all while using a range of techniques to hide their true identities. IT workers can operate in any location using a VPN to mask their IP address. 

Once embedded within a company, APT operators can leverage their access for malicious purposes, ranging from data theft to cyberespionage. Their activities not only generate millions of dollars in revenue for the North Korean regime but also enable them to conduct sophisticated cyberattacks. Integrating IT workers with APT groups amplifies the potential damage; these groups are known for their targeted attacks and persistence.

Practical Advice to Strengthen Your Defenses

As an HR executive, it’s critical to do your part to protect your organization from cyberthreats. Here are five strategies to defend your company during the hiring process: 

1. Enhance vetting processes: Implement stringent background checks and use reputable third-party services to help verify identities and uncover inconsistencies. Utilize Form I-9 and conduct thorough interviews, incorporating video calls and targeted questioning. Pay close attention to any discrepancies or hesitations, especially regarding previous employment and education.
2. Evaluate freelance hires with extra precaution: Vet staffing firms thoroughly, avoid direct recruitment through online IT competitions, and research each individual candidate. Request documentation of background checks, verify financial information, and consider requiring notarized proof of identity. 
3. Implement technical vigilance: Be on the lookout for technical red flags. IT teams should conduct traceroutes to detect unusual latency patterns, monitor for the use of specific VPN services, and verify phone numbers for Voice over Internet Protocol (VoIP) usage. These technical indicators can provide valuable clues about a candidate’s true location and intentions. Additionally, monitor network traffic for any suspicious activity indicating APT involvement.
4. Scrutinize financial transactions: Require the use of banks within the host nation and closely monitor any involvement with foreign exchange services. Be wary of requests for prepayment or unusual payment methods. Implement strict financial controls and regularly review transactions for any anomalies that might suggest illicit activity.
5. Educate and empower your team: Provide HR departments and hiring managers with comprehensive training on IT worker tactics, techniques, and procedures (TTPs), as well as the strategies employed by APT groups. Teach employees to spot potential threats, including inconsistencies in resumes, suspicious online behavior, and potential red flags during interviews. It is unknown if AI can spot these threats when scanning job candidates.

Recognizing the Red Flags

Here are a few common warning signs to look for when hiring:

• Reluctance to appear on camera. An unwillingness to engage in video calls or interviews is a major warning sign. Insist on video communication whenever possible to establish a visual connection and verify identity.

• Concerns about drug tests or in-person meetings. This apprehension could indicate a desire to avoid physical verification. Remote work is increasingly common, but be wary of candidates who consistently refuse to meet in person or undergo standard pre-employment procedures.

• Suspicious behavior during coding tests and interviews. Watch for excessive pauses, eye movements that suggest reading from a script, and answers that sound plausible but are incorrect. These behaviors can indicate dishonesty or attempts to conceal a lack of genuine expertise.

• Inconsistent online profiles. Discrepancies between online profiles and resumes, or a lack of an online presence altogether, can raise concerns. Conduct thorough online research to verify a candidate’s background and professional experience.

• Rapid changes in home address. Frequent changes after hiring could suggest a lack of genuine ties to a location. Be cautious if a candidate’s address changes frequently or if they are unable to provide a stable physical address.

• Education and employment inconsistencies. Education from certain universities in Asia combined with employment primarily in the U.S., South Korea, or Canada can be a warning sign. Scrutinize educational credentials and employment history for any inconsistencies or gaps.

• Financial demands and language preferences. Be wary of repeated requests for prepayment or a preference for Korean while claiming to be from a region that does not speak the language. These can be indicators of potential fraudulent activity.

Staying Ahead of the Threat

The threat posed by fraudulent IT workers in North Korea, particularly when blended with APT operations, demands unwavering vigilance and a proactive approach to security. By implementing robust security measures, fostering a culture of awareness, and staying informed about the latest TTPs, you can significantly reduce your risk. 

Remember, protecting your company’s valuable assets requires a proactive and vigilant approach. If you prioritize security and remain informed, you can safeguard your business from this stealthy and sophisticated cyberthreat. 
 

Michael (Barni) Barnhart is the lead for all of Democratic People’s Republic of Korea operations within Mandiant. He’s spent 19 years as an intelligence professional, starting with human intelligence collection doing tactical raids, interrogations, and source operations with regular U.S. Army and Special Operations.