How not to hire a North Korean IT spy
CISOs looking for new IT hires already struggle with talent market shortages and bridging cybersecurity skills gaps. But now they face a growing challenge from an unexpected source: sanctions-busting North Korean software developers posing as potential hires.
North Korea is actively infiltrating Western companies using skilled IT workers who use fake identities to pose as remote workers with foreign companies, typically but not exclusively in the US.
These North Korean IT workers use fake identities, often stolen from real US citizens, to apply for freelance contracts or remote positions.
The schemes are part of illicit revenue generation efforts by the North Korean regime, which faces financial sanctions over its nuclear weapons program, as well as a component of the country’s cyberespionage activities.
Multimillion-dollar fake worker cell busted
The US Treasury department first warned about the tactic in 2022. Thosands of highly skilled IT workers are taking advantage of the demand for software developers to obtain freelance contracts from clients around the world, including in North America, Europe, and East Asia.
“Although DPRK [North Korean] IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions,” the Treasury department warned.
“These IT workers often rely on their overseas contacts to obtain freelance jobs for them and to interface more directly with customers,” it adds.
North Korean IT workers present themselves as South Korean, Chinese, Japanese, or Eastern European, and as US-based teleworkers. In some cases, DPRK IT workers further obfuscate their identities by creating arrangements with third-party subcontractors
In the two years since the Treasury department’s warning examples of the ruse in action are emerging increasingly.
For example, Christina Chapman, a resident of Arizona, faces fraud charges over an elaborate scheme that allegedly allowed North Korean IT workers to pose as US citizens and residents using stolen identities to obtain jobs at more than 300 US companies.
US payment platforms and online job site accounts were abused to secure jobs at more than 300 companies, including a major TV network, a car manufacturer, a Silicon Valley technology firm, and an aerospace company. “Some of these companies were purposely targeted by a group of DPRK IT workers,” according to US prosecutors, who add that two US government agencies were “unsuccessfully targeted.”
According to a DoJ indictment, unsealed in May 2024, Chapman ran a “laptop farm,” hosting the overseas IT workers’ computers inside her home so it appeared that the computers were located in the US. The 49-year-old received and forged payroll checks, and she laundered direct debit payments for salaries through bank accounts under her control. Many of the overseas workers in her cell were from North Korea, according to prosecutors.
An estimated $6.8 million were paid for the work, much of which was falsely reported to tax authorities under the name of 60 real US citizens whose identities were either stolen or borrowed.
US authorities have seized funds related to scheme from Chapman as well as wages and monies accrued by more than 19 overseas IT workers.
Job search platform entraps unsuspecting companies
Ukrainian national Oleksandr Didenko, 27, of Kyiv, was separately charged over a years-long scheme to create fake accounts at US IT job search platforms and with US-based money service transmitters.
“Didenko sold the accounts to overseas IT workers, some of whom he believed were North Korean, and the overseas IT workers used the false identities to apply for jobs with unsuspecting companies,” according to the DoJ.
Didenko, who was arrested in Poland in May, faces US extradition proceedings. US authorities have seized the upworksell.com domain of Didenko’s company.
KnowBe4 gets a lesson in security awareness
How this type of malfeasance plays out from the perspective of a targeted firm was revealed by security awareness vendor KnowBe4’s candid admission in July that it unknowingly hired a North Korean IT spy.
The new hire was promptly detected after he infected his work laptop with malware before going to ground when the incident was detected and refusing to engage with security response staff.
The software engineer, hired to join KnowBe4’s internal IT AI team, passed video-based interviews and background checks. The “job seeker was using a valid but stolen US-based identity.” Crucially, it subsequently emerged, the picture on the application was “enhanced” using AI tools from a stock image photo.
The new hire had failed to complete his induction process, so he had no access to KnowBe4’s systems; as a result, no data breach occurred. “No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems,” according to the vendor, which is treating the whole incident as a “learning experience.”
‘Thousands’ of North Korean IT workers seeking jobs
A growing and substantial body of evidence suggests KnowBe4 is but one of many organizations targeted by illicit North Korean IT workers.
Last November security vendor Palo Alto reported that North Korean threat actors are actively seeking employment with organizations based in the US and other parts of the world. During an investigation in a cyberespionage campaign, Palo Alto’s researchers discovered a GitHub repository containing fake resumes, job interview question and answers, a scan of a stolen US Permanent Resident Card, and copies of IT job opening posts from US companies, among other resources.
“Resumes from these files indicate targets include a wide range of US companies and freelance job marketplaces,” according to Palo Alto.
Mandiant, the Google-owned threat intel firm, reported last year that “thousands of highly skilled IT workers from North Korea” are hunting work.
“These workers acquire freelance contracts from clients around the world … although they mainly engage in legitimate IT work, they have misused their access to enable malicious cyber intrusions carried out by North Korea,” according to Mandiant.
Email addresses used by Park Jin Hyok, a notorious North Korean cyberspy linked to the development of WannaCry and the infamous $81 million raid on Bangladesh Bank, appeared on job sites prior to Park’s US indictment for cybercrimes. “In the time between the Sony attack [2014] and the arrest warrant issued, PJH was observed on job seeker platforms alongside [other North Korean] DPRK’s IT workers,” according to Mandiant.
More recently, CrowdStrike reported that a North Korean group it dubbed “Famous Chollima” infiltrated more than 100 companies with imposter IT pros. Phony workers from the alleged DPRK-nexus group, whose targets included aerospace, defense, retail, and technology organizations predominantly in the US, performed enough to keep their jobs while attempting to exfiltrate data and install legitimate remote monitoring and management (RMM) tools to enable numerous IP addresses to connect to victims’ systems.
Detection is ‘challenging’
Using chatbots, “potential hires” are perfectly tailoring their resumes, and further leverage AI-created deepfakes to pose as real people.
Crystal Morin, former intelligence analyst for the US Air Force turned cybersecurity strategist at Sysdig, told CSOonline that North Korea is primarily targeting US government entities, defence contractors, and tech firms hiring IT workers.
“Companies in Europe and other Western nations are also at risk,” according to Morin. “North Korean IT workers are trying to get jobs either for financial reasons — to fund the state’s weapons program — or for cyberespionage.”
Morin added: “In some cases, they may try to get jobs at tech companies in order to steal their intellectual property before using it to create their own knock-off technologies.”
“These are real people with real skills in software development and not always easy to detect,” she warned.
Naushad UzZaman, co-founder and CTO of Blackbird.AI, told CSOonline that although the technology to deepfake video in real-time is “not there yet” advances in the technology are only likely to make life easier for counterfeit job applicants.
“You can imagine something like a Snapchat filter that would allow someone to present themselves as someone else,” according to UzZaman. “Even if that happens, you’d likely get glitches in the video that would offer tell-tale signs of interference.”
Countermeasures
IT managers and CISOs need to work with their colleagues in human resources to more closely vet applicants. Additional technical controls might also help.
Here’s some suggestions for recommended process improvements:
- Conduct live video-chats with prospective remote-work applicants and ask them about their work projects
- Look for career inconsistencies in resumes or CVs
- Check references by calling the referee to confirm any emailed reference
- Confirm supplied residence address
- Review and strengthen access controls and authentication processes
- Monitor supplied equipment for piggybacking remote access
Post-hire checks need to continue. Employers should be wary of sophisticated use of VPNs or VMs for accessing company system, according to KnowBe4. Use of VoIP numbers and lack of digital footprint for provided contact information are other red flags, the vendor added.
David Feligno, lead technical recruiter at managed services provider Huntress, told CSOonline: “We have a multiple-step process for trying to verify if a background looks too good to be true — meaning is this person stealing someone else’s profile and claiming as their own, or simply lying about their current location. We first check if the candidate has provided a LinkedIn profile that we can review against their current resume. If we find that the profile location does not match the resume — says on resume NYC, but on LinkedIn profile says Poland — we know this is a fake resume.
“If it is the same, did this person just create a LinkedIn profile recently and have no connections or followers?”
Huntress also checks that an applicants’ supplied phone number is valid, as well as running a Google search on them.
“All of the above will save you a great deal of time, and if you see anything that does not match, you know you are dealing with a fake profile, and it happens a lot,” Feligno concluded.
Brian Jack, KnowBe4’s CISO, agrees that fake remote employees and contractors are something every organization needs to worry about, adding: “CISO’s should review the organization’s hiring processes and ensure that their overall risk management practices are inclusive of hiring.”
Hiring teams should be trained to ensure they are checking resumes and references more thoroughly to be sure the person they are interviewing is real and is who they say they are, Jack advises. Best would be to meet candidates in person along with their government-issued ID or using trusted agents, such as background checking firms — especially as use of AI enters into the mix of hiring schemes such as these.
“One thing I like to do as a hiring manager is ask some questions that would be hard to prepare for and hard for an AI to answer on the fly, but easy for a person to talk about if they were who they claim to be,” Jack says.