The ultimate insider threat: North Korean IT workers

It’s long been known that the North Korean regime has been involved in cybercrime and other cyber operations to advance their strategic goals. One of their more recent tactics has been to create fake workers — names, resumes, and even personalities — to get their IT workers hired remotely as employees at major companies, and in high-paying technical roles.

Posing as non-North Korean nationals, these fake workers have convinced employers across many industries offering remote-work jobs to hire them for roles ranging from web design to full stack senior developer.

“The dual motivations behind their activities — fulfilling state objectives and pursuing personal financial gains — make them particularly dangerous,” we wrote in a blog last September that detailed this new twist on the corporate insider threat. “Their technical proficiency, coupled with sophisticated evasion tactics, poses a formidable challenge, especially for HR and recruiting teams tasked with identifying potential threats during the hiring process.”

The Google Threat Intelligence Group (GTIG) has continued to investigate the North Korean IT worker threat as part of our leading efforts to bring the scheme to law enforcement's attention and to help the public fully understand the scale and significance of the problem. Previously, their main objective had been to use these positions to generate revenue for the North Korean regime.

Since our September report, we have observed the North Korean IT worker threat evolve. We’ve detected North Korean IT workers conducting a global expansion beyond the U.S., with a notable focus on Europe. They have also intensified extortion campaigns against employers, and they’ve moved to conduct operations in corporate virtual desktops, networks, and servers.

They now use their privileged access to steal data and enable cyberattacks, in addition to generating revenue for North Korea.

While the North Korean IT worker problem is especially challenging because of how it takes advantage of organizations eager to hire talented employees, there are concrete steps that employers can take to mitigate the risk. As we noted in the new Perspectives on Security for the Board report published today, GTIG has identified four important trends for executives to be aware of:

• Move to extortion and data leak operations: IT workers initially generated revenue for the North Korean regime through their salary, financial transfers, and cryptocurrency theft. More recently, and in conjunction with our partners, we have observed an uptick in extortion operations against large organizations, where IT workers will threaten to leak sensitive data unless a ransom is paid.
• Global operations: While increased public reporting, indictments, and right-to-work challenges have made illicitly taking and maintaining employment more challenging, North Korean IT workers remain an active threat in the U.S. as they also seek roles across Europe and Asia.
• Experimenting with AI: North Korean IT workers are experimenting with AI in various ways, including generating fake profile photos, using deepfakes during video interviews, and using AI writing tools to get around language barriers.
• National security considerations: IT workers have been linked to North Korean cyber espionage operations. This means that organizations who hire IT workers increase their risk of espionage activity.

What you can do: Get ahead of the threat

Identifying and addressing insider risk, including North Korean IT worker risks, should be viewed as a joint responsibility. Many teams have a responsibility to identify and address insider risk, including security, human resources, legal, audit, and finance functions.

Boards of directors should use the increased threat from North Korean IT workers as an opportunity to implement a broader set of insider risk policies and controls. Boards should set clear expectations around:

• Building a robust insider risk-management program: Establish a formal insider risk program by developing a strategy, creating clear policies, coaching executives, building organizational frameworks, ensuring governance, and providing employee training to foster a security-conscious culture.
• Developing a security-minded hiring process and culture: Stringent background checks, careful interview on-camera processes that require more personal engagement from the candidate, and vigilant job-history vetting can all help mitigate the risk posed by North Korean IT workers.
• Securing remote-work practices: Verify the identity and location of remote workers, including being cautious if the worker suddenly suggests a different shipping address, and requiring in-person device pickup whenever possible.
• Monitoring insider risk: Security teams should have the appropriate visibility and logging capabilities to determine when employees have exfiltrated sensitive data and provided network access. While this is ideally detected and prevented before a significant incident occurs, organizations should also factor insider risk into their incident response plans.

Additionally, we recommend boards ensure their organizations are performing regular insider threat penetration tests and hunting exercises. You can strengthen your defenses by simulating real-world threats, identify vulnerabilities, and proactively uncover hidden malicious activity. Penetration and hunting exercises can help provide actionable insights to enhance security and improve the organizational risk posture.

What you can do: Watch for these technical indicators

While security and business leaders can take concrete action to get ahead of the IT worker insider threats, there are also eight key technical considerations we noted in September’s report that can help security teams mitigate the risk of hiring a North Korean IT worker. Be sure that your security team is aware of these, and discuss with them as necessary.

• Verify phone numbers to identify Voice over Internet Protocol (VoIP) phone numbers, which can be used to hide threat actor location.
• Verify during onboarding that corporate laptops have been geolocated to the location where they were shipped to. GTIG has observed instances where the deployed corporate laptop was never geolocated in the location that the individual reported to reside.
• Monitor and restrict the use of remote administration tools:
  • Prevent any remote connections to company-issued computers that can access the corporate network.
  • Monitor for uncommon remote administration tools, and multiple remote administration tools installed on one device.
• Monitor for the use of VPN services to connect to corporate infrastructure, including IP addresses associated with VPN services.
• Monitor for the use of “mouse jiggling” software, which we have observed North Korean IT workers using to remain active across several laptops and profiles.
• Request verification of the laptop serial number at the time of IT onboarding. This information should be readily available for anyone with physical possession of their corporate device.
• Use hardware-based multi-factor authentication to enforce physical access to corporate devices.
• Monitor and restrict the use of IP-based KVM devices, which have been frequently used by North Korean IT workers to maintain persistent remote access to corporate devices.

Additionally, to further bolster security, consider enhanced monitoring, especially for new hires and remote workers. Implement behavioral analytics and user activity monitoring tools, which rely on aggregated data from endpoints, network, web proxy, and authentication systems. This approach can help you identify anomalies, particularly around privilege elevation, and can bolster a layered and proactive security posture.

For more cybersecurity guidance for boards of directors, check out our newest Perspectives on Security for the Board report.