Combatting the New Insider Threat: North Korean IT Workers Posing as Remote Employees

The New York Department of Financial Services issued a cybersecurity advisory on November 1, 2024, regarding a growing threat posed by North Korean operatives seeking remote IT roles at U.S. companies. These operatives secure jobs at prominent companies, generate revenue for the regime, and have the potential to expose sensitive corporate data. These highly sophisticated threat actors use a range of tactics to disguise their identities and infiltrate businesses, posing significant security risks. This alert consolidates critical information from the NYDFS and FBI on the tactics used by these actors, the vulnerabilities they exploit, and recommended steps for companies to mitigate these threats.

The North Korean IT Worker Threat

The NYDFS’ alert highlights that North Korean IT workers have been operating under fake identities and are often sent by North Korea to live in countries such as China and Russia. They then apply for remote positions in U.S. companies. Their activities are reported to generate millions of dollars for the North Korean regime, which uses these funds to support state programs. Indictments issued by the U.S. government this year show that over 300 U.S. companies have unknowingly hired IT workers from North Korea, exposing them to potential insider threats.

Summary of Threat Tactics

North Korean IT workers use multiple deceptive tactics to secure remote employment in U.S. companies. According to both NYDFS and the FBI, key techniques include:

1. False Identities and Proxy Accounts: Operatives often assume the identities of individuals from the U.S. or other countries by using stolen or fabricated identities. In some cases, North Korean actors co-opt U.S.-based individuals, who knowingly or unknowingly support their operations by lending their identities or creating proxy accounts.
2. VPNs and Remote Access Concealment: North Korean workers frequently use VPNs to make it appear as though they are based in the U.S., circumventing location-based hiring restrictions. Once hired, they often download remote access software to facilitate connection to U.S. networks, masking their true overseas locations.
3. In-Person Avoidance and Device Diversion: To avoid detection, applicants involved in these schemes typically refuse in-person meetings or video calls, instead opting for text or audio-only communication. Additionally, they may request that company equipment (e.g., laptops) be sent to alternate U.S. addresses, where co-conspirators then re-ship these devices overseas.
4. U.S.-Based Facilitators and Shell Companies: North Korean operatives frequently collaborate with U.S.-based facilitators who provide various services, including setting up interviews, reshipping devices, and even attending virtual interviews on behalf of the North Korean applicants. Facilitators may also assist in creating accounts on job sites, establishing bank accounts, and providing internet connections for the North Korean operatives.
5. Bypassing Background Checks: Through their collaborators or other deceptive means, North Korean IT operatives circumvent background checks, even utilizing remote work protocols to avoid physical identification. They may fabricate job histories, manipulate reference checks, and use voice-altering software to disguise accents.

Guidance from NYDFS and FBI: Actionable Steps for Companies

Both the NYDFS and FBI advise U.S. companies, particularly those with remote positions, to implement a multi-layered strategy to defend against this risk. The NYDFS and FBI recommend the following key measures:

1. Enhanced Identity Verification Protocols

Bolster identity verification processes during hiring, onboarding, and throughout the employment of remote workers. Recommended steps include:

• Multi-Document Verification: Require multiple forms of identification, such as passports and national IDs, to cross-verify applicant identities. Ensure document authenticity using both automated verification systems and manual checks.
• E-Verify and IP Checks: Use services like E-Verify to validate identities against government records, and monitor for inconsistencies in applicant-provided information. Conduct IP address checks to confirm applicants’ locations, flagging the use of VPNs or unusual IP ranges.
• Social Media and Public Records Scrutiny: Review candidates’ social media profiles and public records for additional verification and to identify discrepancies in stated employment history, location, or personal background.
• Live Video Interviews with ID Matching: Require video interviews with camera on, ensuring that the applicant’s appearance aligns with provided identification. During the interview, ask the applicant questions about their location, role expectations, and career background to spot inconsistencies.

2. Rigorous Pre-Employment Screening of IT Contractors and Third-Party Vendors

Since third-party staffing agencies and vendors can introduce additional risks, companies can consider conducting stringent due diligence on vendors responsible for hiring and managing IT contractors. Recommended actions include:

• Mandated Vendor Screening Standards: Require vendors to implement the same level of rigorous identity verification as the company’s own hiring team.
• Frequent Audits: Conduct periodic audits of third-party vendors’ hiring practices, and ensure they are aware of the specific threat posed by North Korean operatives.
• Address and Payment Monitoring: Instruct vendors to flag any suspicious changes to an applicant’s address or payment platform and to alert your security team of these red flags.

3. Technical and Network Monitoring Controls

Once a remote employee is hired, companies should establish robust technical controls to monitor access and identify any suspicious activities on your network. Best practices include:

• Geolocation Tracking on Company Devices: Track company laptops and phones to ensure that they are at the designated address provided by the employee. Changes in location, address, or delivery requests should be immediately flagged and investigated.
• Restricting Remote Access Tools and Monitoring Network Traffic: Limit or prohibit employees from installing remote access software. Implement robust network monitoring to detect unusual network traffic patterns, IP addresses originating from unexpected locations, and unauthorized connections.
• Endpoint Security and Incident Response: Equip company devices with endpoint detection and response (EDR) tools, allowing for real-time detection of malicious activity. Instruct IT and security teams to respond swiftly to indicators of unauthorized access, including unexpected remote access tool installation or suspicious geographic access points.

4. Risk-Based Access Controls for Remote Workers

To limit the potential impact of any unauthorized access, companies should enforce strict, risk-based access controls for remote employees:

• Access Restriction and Gradual Privilege Expansion: Limit remote workers’ access to only the systems and data required for their role, expanding access only as necessary based on job performance and verified need.
• Enhanced Monitoring of Remote Activities: Monitor remote employees’ internet and network activity, with particular attention to visits to overseas sites or downloading of non-standard applications.
• Device and Software Security Policies: Ensure that remote employees are prohibited from installing unauthorized software on company devices and set up alerts to detect any attempt to circumvent these controls.

5. Employee Awareness and Training Programs

Both NYDFS and FBI emphasize the importance of educating key personnel about this threat. Actions include:

• Targeted Training for HR and Security Teams: Provide specific training to hiring managers, cybersecurity staff, and senior executives on the unique risks posed by North Korean IT operatives. This training should highlight red flags, such as applicants who refuse video calls or request unusual address changes.
• Awareness Campaigns for Vendors and Contractors: Work with third-party staffing firms to disseminate information about this threat and establish standardized processes for detecting and reporting unusual activity.