Report 5385

Most business owners put at least some effort into defending themselves from the increasing risks of cyberattacks, ransomware demands, and fraud schemes run by fake job applicants. Now they're getting warnings from security experts about the rising threat posed by thousands of North Korean operatives who create forged identities to land work as remote IT workers with U.S. firms, and then send pay and data back to their government in Pyongyang.

That threat of impostors from the Democratic People's Republic of Korea (DPRK) infiltrating U.S. businesses as ordinary remote tech workers isn't new, but experts say it has increased with alarming speed. Research released last month by cybersecurity specialist SentinelOne detailed a broad, extremely active, and often effective plot involving thousands of North Koreans landing jobs with big tech firms---as well as many Fortune 500 companies. Its report warned of a "staggering volume of ongoing infiltration attempts" that it said "far outpaces any other insider threat vector we monitor."

According to experts cited in a recent Politico report, the North Korean operatives either steal or make up personal information linked to real U.S. IT employees, and scour job posting sites looking for high-paying tech vacancies. They then swarm-apply for those openings to increase the odds of some operatives getting through to interview rounds. Politico reported that the impostors use artificial intelligence to create "deepfakes to look and sound like the person they are attempting to impersonate, often in real time."

"These actors are not just applying blindly---they are refining their process, leveraging stolen or fabricated personas, and adapting their outreach tactics to mirror legitimate job seekers in increasingly convincing ways," the SentinelOne report said. "Our team has tracked roughly 360 fake personas and over 1,000 job applications linked to DPRK IT worker operations applying for roles at SentinelOne---even including brazen attempts to secure positions on the SentinelLabs intelligence engineering team itself."

Once they've been hired, infiltrators provide real remote IT work, while leaving few clues behind that allow employers to discover their deceit. Their initial objective, experts say, is to hand over the handsome salaries they're paid to their government's military development program. But while in those jobs, they also often plant malware and configure networks for access to conduct data theft or ransom attacks if they're ever caught and fired.

The location of work performed in North Korea is masked by accomplices in the U.S., to whom employers unwittingly send company-issued laptops. Those computers are left running to simulate use in the U.S., and are accessed by North Korean infiltrators while doing their jobs. Employers may feel they're getting their money's worth from their remote IT techies, when in reality they're vulnerable to serious threats.

"That North Korean IT worker has access to your whole host of web development software, all the assets that you've been collecting... (and) that worker is being paid by you, funneled back into the North Korean state, and is conducting espionage at the same time," Alexander Leslie, threat intelligence analyst at cyber firm Recorded Future told Politico. "It imposes a significant financial and compliance risk."

It also exposes companies to potential legal action from U.S. authorities for having employed and paid North Korean citizens---a violation of the law whether it's intentional or not. That's one reason why experts say many businesses that discover the ruse don't go public with it.

But that's a mistake, the SentinelOne report says. During its investigation, the company discovered that the more it shared what it learned with partners---internally, and externally---the faster that clues, insights, and techniques for identifying imposters multiplied across their network.

"Recruiters began spotting patterns on their own, driving an increase in early-stage escalation of suspicious profiles," the report said. "They became an active partner that continues to flag new sightings from the frontlines. In turn, we are codifying these insights into automated systems that flag, filter, enrich, and proactively block these campaigns to lower the burden on our recruiters and hiring managers, and reduce the risk of infiltration."

Google's Threat Intelligence Group has also documented the increasing number of North Korean job applicants and infiltrators, as wells as the expansion of their means to raise hard cash for the regime of the nation's leader, Kim Jong Un. That has led them to "intensified extortion campaigns against employers, and they've moved to conduct operations in corporate virtual desktops, networks, and servers," a March article by the unit said.

Because of that, Google's Threat Intelligence Group urged companies to take defensive measures against the new North Korean twists to the broader cyber criminality threat. Those include:

• Building a robust insider risk-management program: Establish a formal insider risk program by developing a strategy, creating clear policies, coaching executives, building organizational frameworks, ensuring governance, and providing employee training to foster a security-conscious culture.
• Developing a security-minded hiring process and culture: Stringent background checks, careful interview on-camera processes that require more personal engagement from the candidate, and vigilant job-history vetting can all help mitigate the risk posed by North Korean IT workers.
• Securing remote-work practices: Verify the identity and location of remote workers, including being cautious if the worker suddenly suggests a different shipping address, and requiring in-person device pickup whenever possible.
• Monitoring insider risk: Security teams should have the appropriate visibility and logging capabilities to determine when employees have exfiltrated sensitive data and provided network access. While this is ideally detected and prevented before a significant incident occurs, organizations should also factor insider risk into their incident response plans.
  What else can recruiters, hiring executives, and business owners do once they suspect they could be dealing with a potential North Korean infiltrator during a remote hiring interview?

Angel investor and G8keep crypto startup co-founder, Harrison Leggio, has a low-tech defense hack that may also provide managers some extra sense of payback.

"Say something negative about Kim Jong Un," Leggio told Fortune, referring to the leader central to North Korea's cult of personality government. "The first time I ever did it, the person started freaking out and cursing."

Other business executives have adapted that tactic to thwart suspected North Korean applicants in a similar way.

"My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?'" Crowdstrike senior vice president of counter adversary operations, Adam Meyers, told a recent tech conference, according to cybersecurity news site The Register. "They terminate the call instantly, because it's not worth it to say something negative about that."

Plus, in addition to possibly protecting your business from nefarious infiltration, using that ruse may be one of the few imaginable occasions when fat-shaming serves the greater good.