North Korean nationals are infiltrating organisations by posing as remote IT workers, with companies targeted in multiple industries across Australia, US, and Europe.
In a blog post from Google’s security research firm Mandiant, researchers pointed to groups of so-called IT workers operating on behalf of the Democratic People's Republic of Korea (DPRK).
By leveraging stolen identities, remote workers strive to pass employment verification, receive company equipment such as laptops and ultimately access limited corporate systems such as codebases or network systems.
One such example saw security awareness training provider KnowBe4 onboard a remote worker who was later discovered to be a North Korean national.
The applicant used a real, stolen US-based identity coupled with an AI-faked photograph to bypass the company’s background checks and managed to get through a total of four video conference-based interviews.
“We sent them their Mac workstation, and the moment it was received, it immediately started to load malware,” said company chief executive Stu Sjouwerman.
Late last year, the Australian Sanctions Office said it had seen the DPRK dispatch “thousands of highly skilled IT workers around the world”.
“DPRK IT workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation to apply for jobs,” said the office.
“They target employers located in wealthier countries, including Australia, utilising a variety of mainstream and industry-specific freelance contracting, and social media and networking platforms.”
“These workers are active in a range of fields and sectors, including business, health and fitness, social networking, sports, entertainment, and lifestyle.”
Mandiant said these operations, tracked as UNC5267, are motivated by financial gain and aim to keep long-term access to victim networks for “potential future financial exploitation”.
Generating money
Paul Haskell-Dowland, professor of cyber security practice at Edith Cowan University, told Information Age the operations were likely another mechanism for North Korea to “generate funds” while evading state sanctions, while Mandiant affirmed the North Korean regime’s “weapons of mass destruction (WMD) and ballistic missile programs” benefit from UNC5267 funding.
It’s unclear whether the bulk of these fraudulent IT workers are explicitly DPRK spies, or if they are simply part of a wider scheme which sees the DPRK provide amnesty in exchange for a cut of international IT worker profits, however, the Federal Bureau of Investigation (FBI) notes there are likely instances where “workers are subjected to forced labour”.
“DPRK IT workers can individually earn more than US$300,000 a year in some cases, and teams of IT workers can collectively earn more than US$3 million annually,” reads an FBI-issued advisory.
Notably, North Korean nationals participating in UNC5267 operations are not entirely focused on stealing data or offloading malware.
Mandiant notes that despite remote workers often having gained “elevated access” to company systems, the security firm hasn’t observed much espionage or disruptive activity.
In fact, when engaging in incident response with UNC5267 victims, Mandiant has primarily observed DPRK IT workers functioning within the scope of their job responsibilities.
Still, Mandiant warns the group’s objectives do include “potential use of access for espionage or disruptive activity”.
“This heightened level of access granted to fraudulent employees presents a significant security risk,” wrote Mandiant.
“The dual motivations behind their activities – fulfilling state objectives and pursuing personal financial gains – make them particularly dangerous.”
A network of fraud
According to multiple indictments in the US, these false operations area commonly supported by non-North Korean “facilitators”.
These facilitators provide essential services such as money laundering, cryptocurrency, or most notably, receive and host company devices to a domestic residence.
One US facilitator compromised over 60 US identities and defrauded companies from a range of industries, including multiple Fortune 500 companies, US banks and financial service providers.
From these actions, the facilitator and UNC5267 operants were able to generate $9.8 million (US$6.8 million) of revenue between October 2020 to October 2023.
Furthermore, some 35 US persons were left dealing with false tax liabilities due to their identities being exploited as part of the scheme.
To accomplish their duties, UNC5267 workers often access company laptops via a remote laptop farm.
Typically staffed by a domestic facilitator who is paid a monthly rate for their ‘hosting’ services, these laptop farms enable DPRK workers to use an IP-based keyboard video mouse device which can control multiple computers via one or more keyboards.
Coupled with the instalment of remote management tools such as TeamViewer and Chrome Remote Desktop, Mandiant concludes individuals connecting to these compromised laptops “may not be geographically located in the city, state, or even country in which they report to reside”.
Mandiant has also observed operations using “front companies” to disguise their true identities.
Remote hiring done safely
Mandiant said countering the “threat posed by North Korean cyber actors” requires a mix of technical defences and staff awareness training.
The security firm suggests “stringent background checks” and “careful interview processes” such as requiring cameras be used during interviews to ensure visual appearances matches online profiles.
The company also recommends asking questions to ensure a candidate's responses are consistent with their purported background.
“For organisations, verifying identity becomes critical,” said Haskell-Dowland.
“But there is a question of what level of validation the average organisation is capable of doing.
“Government entities have the ability to undertake more formal verifications, but for a smaller or private organisation, they often won't have access to such checks.”
Haskell-Dowland suggested potentially contracting out verification services for remote hires, noting such services can not only check addresses and work history, but can also involve contacting past employers.
Meanwhile, Mandiant said laptops can be tracked and geolocated to ensure they are at their reported residence, while unapproved remote administration tools and remote connections can be monitored and restricted.
Finally, the Australian Sanctions Office suggests employers avoid payments in cryptocurrency and require verification of banking information, and to be suspicious if a worker can’t receive items at the address on their identification documentation.