With the rise of remote work and global hiring, a recent incident involving a North Korean hacker hired by a top security firm has exposed a growing threat. KnowBe4, a company specializing in security awareness training, discovered that one of their software engineers was a North Korean threat actor. This individual attempted to install malware on their company device shortly after being hired. While the attack was quickly stopped, it revealed a much larger issue: a well-organized North Korean program designed to plant fake employees in companies around the world to generate money for the regime.
The spy in the room
After KnowBe4 made their discovery public, more than a dozen other companies shared similar experiences. Organizations ranging from Fortune 500 companies to small businesses have unknowingly hired North Korean operatives, with remote teams being at particularly high risk. These fake employees are skilled IT workers who go through extensive training, allowing them to successfully pass job interviews and background checks.
The scale of this operation is significant. It’s not just about one or two cases but potentially thousands of organizations around the world that may have unknowingly hired these operatives. Once inside a company, these actors send most of their earnings back to the North Korean government, with some also engaging in cyber espionage or sabotage.
Evil scheme
The operatives involved in this program are highly trained IT professionals, often located in countries like China. They live and work in shared spaces, similar to call centers, where they apply for jobs using fake identities. These identities come with fabricated work histories, personal websites, and references.
The program is a form of human trafficking, with many of the workers forced to participate. Most of the money they earn goes to the North Korean government, while their families in North Korea are used as leverage to ensure their compliance.
Seeing through them
Although these operatives are highly skilled, there are warning signs employers can look for. Candidates who claim U.S. residency but struggle with English or have vague, inconsistent work histories should raise concerns. Their personal websites and profiles may appear generic or hastily created, with minimal online presence beyond the links they provide.
Even after hiring, unusual behavior can be a red flag. Examples include logging in from unexpected locations, requesting alternative payment methods like cryptocurrency, or working at odd hours that don’t match the claimed time zone. These could all indicate a threat actor.
Keeping them at bay: Recommendations for Businesses
To avoid falling victim to this type of infiltration, businesses should take the following steps:
Strengthen Hiring Practices: Conduct thorough background checks, including secondary verification of work histories, credentials, and identities. Pay extra attention to remote candidates who may be harder to verify.
Educate Hiring Teams: Train HR and hiring managers to recognize red flags such as inconsistent personal details, unusual interview behavior, and suspicious online profiles. Encourage them to report any doubts during the recruitment process.
Monitor Employee Activity: After hiring, track employee logins, device usage, and payment requests. Unusual patterns, especially in a remote work setup, can signal potential issues.
Implement Threat Models: Review and update your hiring processes by incorporating threat models that assess the risk of hiring fake employees. This can help prevent threat actors from entering your organization.
Act Quickly If Suspicious: If a company suspects they’ve hired a North Korean operative, immediately lock down the employee’s access to devices and sensitive data. Closely monitor their activity, and if the threat is confirmed, terminate employment and report the incident.
Comments