Dive Brief:
- IT workers operating as plants for North Korea’s government are posing as non-North Korean nationals to gain employment with Western companies, especially those in the U.S. tech sector, threat intelligence and incident response firm Mandiant said Monday.
- North Korea-backed IT workers have infiltrated some of the world’s most valuable companies. “Dozens of Fortune 100 organizations have unknowingly hired IT workers from North Korea,” Mandiant Consulting CTO Charles Carmakal said Monday in a LinkedIn post.
- The widespread insider threat attack campaign generates revenue for the North Korean regime and sometimes provides access for threat groups aligned with its interests to make changes to application source code, conduct espionage or other malicious activity, Mandiant found.
Dive Insight:
The FBI in June 2022 warned organizations to be on the lookout for individuals using deepfakes or stolen personally identifiable information who apply for remote jobs.
While Mandiant has not observed significant malicious activities, the threat intelligence firm is concerned the threat group may use insider access to insert backdoors in systems or software in the future.
“This is another type of initial access vector for threat actors but also I want to emphasize that the threat actors are targeting IT and tech positions, potentially providing the actors with access to systems other users may not have,” Carmakal said via email. “This attack technique has the potential to be highly impactful.”
The non-centralized threat group, which Mandiant tracks as UNC5267, remains highly active and primarily applies for full time or contract positions that are fully remote. Some of the IT workers, who are sent by the North Korean government to live in China, Russia, Africa or Southeast Asia work multiple jobs concurrently, Mandiant said.
Non-North Korean facilitators provide support services to these IT workers, including money laundering, receiving and hosting company laptops and using stolen identities to verify employment. Devices housed in these laptop farms are often connected to IP-based keyboard video mouse devices and commercially available remote monitoring and management tools.
A U.S. citizen was arrested in Arizona in May for allegedly operating one of these laptop farms to defraud more than 300 U.S. companies, resulting in at least $6.8 million in illicit revenue between October 2020 and October 2023.
Mandiant shared strategies organizations can use to detect and prevent the hiring of fictitious talent, including stringent background checks and careful interview processes. The firm called on human resources departments to train hiring teams to spot inconsistencies and note candidates’ reluctance to turn on cameras or the use of fake backgrounds during interviews.
“The threat actors create convincing resumes and have discovered workarounds to several checks throughout the hiring process,” Carmakal said via email. “We’re running into an issue where organizations are simply unaware of this potential threat and therefore unaware when reviewing applications and conducting the hiring process."
Technical indicators of compromise, according to Mandiant, include requests to ship corporate laptops to different locations, and the use of remote administration tools, VPN services and mouse jiggling software.
Companies can also request verification of the laptop serial number during IT onboarding and implement hardware-based multifactor authentication to ensure physical access to corporate devices.