Chances are unlikely. But what is really scary is that it could have already happened, and you just didn’t realize it. A report from various US federal agencies was published a few weeks ago, offering guidance on IT workers who are trying to get a job in your company while posing as non-North Koreans. You probably already know that the country has trained thousands of workers in various IT disciplines to generate revenue for the government. In the past, these efforts have mostly involved developing malware (such as this notice from CISA about targeting blockchain companies) and launching ransomware attacks. But lately they have turned to a new ploy: creating credible resumes for job seeking candidates that will get hired and help to launch attacks from within the company. Thanks to the pandemic and an increase in remote work, this has become a real risk.
While many of the candidates were immediately found lacking (one hiring manager said it was obvious they didn’t have the right knowledge or skills), still this notice gives me pause. It is the ultimate supply chain attack, because it is aimed at the growing shortage of full-stack and other agile developers. The feds report that thousands of them are taking on IT contracts all over the world, with many of them in North Korea, Russia and China. At salaries of US$300,000 or more, that can generate a lot of income for North Korea — the individual IT workers of course see little of those funds. The candidates possess remarkable skills in a wide variety of disciplines, such as mobile app development, AI-related apps, and database development.
Of course, if one of these phonies is actually hired, their firm can face all sorts of legal and financial penalties, given the numerous sanctions that have been created to prevent any kind of trade with North Korea. In many cases, firms downplay this threat, thinking that North Korean IT workers aren’t that sophisticated. The government report disagrees and sounds a clear warning.
The report has numerous ways you can tell you are dealing with a bad actor, and I use the term both literally and in the cyber sense. For example, the candidates have too-good-to-be-true reviews on the hiring websites, and the reviews collected in a very short time period. Their “extensive” knowledge doesn’t hold up under questioning (of course, this means you have to be prepared to vet them carefully with the right questions) and have long latencies in their video conferencing calls that don’t match their stated location — many candidates will claim a US college or technical degree and US residency. Just considering three of North Korea’s top schools, more than 30,000 students are currently studying various IT topics, and there are now more than 85 programs in 30 schools offering various STEM curricula.
North Korean “IT workers may share access to virtual infrastructure, facilitate sales of data stolen by North Korean cyber actors, or assist with their country’s money laundering and virtual currency transfers,” says the report. They hide their true identity behind third-party shell companies, or play the role of a subcontractor to a legitimate company. They are proficient in English and Chinese, although not as proficient if you know what to listen for to ferret out their accents. They make use of forged or stolen identity documents, using the names of actual employees and email addresses that appear to be from a Western business domain. They construct phony portfolio websites that don’t usually stand up to scrutiny. The trick is to provide the actual scrutiny during the interview process.
The report lists other “tells” and red flag warnings, such as using a non-standard remote desktop software tool or a low proportion of accepted bids on projects or referencing non-functioning websites. Of course, if someone were to vet my previously published work, you would find some similarities to the numerous dead B2B IT websites that I wrote for in the 1990s, but let’s not go there for now.
To mitigate and properly vet these phonies, the report authors suggest that all identity documents be carefully scrutinized and verified independently, and any low-res versions rejected. Video interviews showing the candidate should be conducted carefully, and the candidates also questioned carefully. Employers should conduct background checks, verify education directly with the college and avoid making any virtual currency payments and verify banking accounts. The DoJ has its “rewards for justice website” (shown above) where you can submit a tip and perhaps claim a substantial reward.
This piece in Protocol offers up some screening suggestions:
Run your video interviews in a well-lit room, on a computer and without headphones. Pay close attention to a candidate’s mouth and audio to make sure they sync up and look at eye movement to see if they’re glancing at anyone else in the room. Asking a candidate to share their screen is also a good idea.
Pingback: KYC — Know your customer | Web Informant
ElReg has this story with more chilling news.
And now this on KnowBe4 hiring a North Korean.
The problem is explored in more detail in this story in CSOonline.
And Crowdstrike has identified a North Korean state-sponsored actor that has infiltrated new hires in more than 100 companies with fake identities
Mandiant has more research on how these criminals gain the trust of hiring managers here (Sept 2024)
And HYPR has this tale about how they almost hired a North Korean hacker (Oct 2024). Each new hire is put through a process to satisfy multiple identity, device and location verifications and video checks before they can receive their credentials.
A new report (10/24) is out from DTEX that offers some suggestions on tell-tale indications, such as prior to a hire looking out for odd Zoom backgrounds or mis-matched IP addresses. And once hired, seeing unauthorized and coordinated remote access usage, use of “mouse jigglers” to keep alive sessions, and suspicious data hoarding.