Perry Carpenter is Chief Human Risk Management Strategist for KnowBe4, developer of Security Awareness Training & Phishing Simulation tools.
In July 2024, my company, a leader in cybersecurity awareness training, went public with how it accidentally hired a North Korean threat actor.
This wasn’t the first time a U.S.-based company was defrauded by remote fraud, including being targeted specifically by North Korean IT workers. So far, more than 300 companies have been infiltrated by this employee scam.
Background On The North Korean IT Workers
This operation is said to have been directed by people who are at the highest levels of the North Korean regime. The core objective of this program is to secure a job from a U.S.-based organization, earn money and then transfer funds to help support the country’s strategic weapons program. These fraudulent IT workers may also bring to bear other malicious objectives such as surveillance, data theft and ransomware seeding, which go beyond ordinary scams and money-making schemes.
Thousands of North Koreans are believed to be involved in this fake IT worker ploy, of which some are suspected to be victims of human trafficking. Close family members are held back in North Korea as leverage, forced to work long hours in exchange for little money. Because North Korea’s internet IP address space is limited and can be detected and blocked by Federal enforcement, workers operate from China, Malaysia, Russia, Africa and other Southeast Asian countries.
How The Operation Is Set Up And Executed
The Democratic People’s Republic of Korea (DPRK) workers pose as freelancers on gig economy platforms such as Fiverr and Upwork to take advantage of the demand for specific IT skills such as software and mobile application development and to obtain employment contracts around the world. Additionally, with the remote work phenomenon exploding post-pandemic, North Koreans have begun applying for highly skilled positions in large technology and Fortune 500 companies.
Of course, they don’t advertise their affiliation with the DPRK. Fraudsters create fabricated profiles and resumes complete with false references and job histories, using social platforms like LinkedIn to seek available job opportunities.
These imposters then use stolen, purchased or forged identities (download required) such as driver’s licenses, social security cards, passports, national identification cards, work visas and AI-manipulated photographs to pass background checks. During interviews, they may use VPNs to mask, hide or conceal their true IP address and location. In some cases, owners of the real identity are paid to assist in the scheme, participate in virtual interviews, pass background checks and take drug tests.
After securing the job, the newly hired fake employee will make any excuse (helping a sick relative, new living location, traveling with a girlfriend, etc.) and request to have their laptop shipped to a different location not previously mentioned. Once the laptop is shipped, it is picked up by an equipment handler who generates a fake ID in the name of the fake employee (for visual verification). The laptop is transported to a laptop farm, where a U.S.-based handler operates a network that enables remote access to offshore hackers.
Since remote access applications like VPNs, RDPs, SSH, etc., can be detected easily by cybersecurity tools, these handlers use tools such as a KVM device (keyboard, video, mouse) to obfuscate the presence of a remote connection. Once the remote connection is set up, DPRK workers operate like any normal remote worker.
How Can Organizations Mitigate The Risks Of Fake Remote IT Workers?
Based on my research and direct experience, here are some best practices that organizations should adopt:
1. Update hiring rules, policies and processes. Updating your hiring policies and procedures is the first way to mitigate these risks. For example, you could mandate a face-to-face meeting if feasible, lock down the newly shipped device by allowing only the barest access until the onboarding process is fully complete and require the employee to appear on video.
2. Invest in cyber awareness and training. Recruitment teams and hiring managers must have a keen awareness of these fraudulent candidates on job boards. In addition to this awareness, I recommend HR teams and employees undergo comprehensive training that includes simulation exercises to help recognize and respond to these risks. Training also reinforces employee adherence to security best practices.
3. Deploy systems, security and automation. Consider using platforms or systems that can aid in detecting fraud, such as inspecting photos for signs of AI editing and flagging suspicious resumes. Deploy zero-trust principles to restrict blanket access for employees and segment their access to applications based on their roles and profiles. Closely monitor devices initiating remote connections.
Impersonated employees and contractors are a concern for all organizations. Although this security update concerns North Korean IT employees, individuals from any country can falsely represent themselves. Every organization should review and update its hiring policies and procedures, utilize AI-detection tools and automation, and double down on employee training to tackle this threat head-on.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
