North Korean IT workers have been operating undercover as non-North Koreans to infiltrate various industries, generating revenue for their regime through cyber intrusions which evade sanctions and fund WMD programs. These workers, along with facilitators who are often non-North Koreans, engage in money laundering, use stolen identities, and exploit international financial systems to fund their activities while avoiding detection.
One specific threat group, UNC5267, is known for leveraging compromised identities to target Western companies, particularly those in the U.S. tech sector. These workers operate remotely from locations such as China and Russia, gaining initial access through job applications and contractor roles. Once inside, they hold multiple positions simultaneously and pursue objectives ranging from financial gain to potential espionage or disruptive activities.
Recently, researchers observed a campaign where DPRK IT workers used fraudulent resumes to secure remote IT positions. These resumes contained red flags such as US addresses paired with non-North American education credentials and recycled content. Once hired, these workers accessed victim companies’ laptops remotely by utilizing tools like GoToRemote and TeamViewer, likely from North Korea using an Astrill VPN to conceal their location.
To counter the threat posed by DPRK IT workers, organizations are advised to implement stringent vetting processes. This includes collecting biometric information for background checks, conducting thorough camera interviews, and verifying identity through notarized proof. HR departments should also be trained to spot inconsistencies in candidate profiles and monitor for AI-manipulated profile pictures.
In order to mitigate UNC5267 threats, organizations should verify phone numbers for VoIP usage, confirm laptop geolocation matches the reported residency, restrict remote administration tools, and monitor VPN connections. Furthermore, implementing hardware-based multi-factor authentication, as well as restricting IP-based KVMs, can strengthen security against unauthorized access and malicious activities.
To address the risks posed by remote employees, companies should conduct periodic video checks, provide ongoing security education, collaborate with threat intelligence communities, and limit financial transactions to U.S. banks. It is imperative for organizations to enhance their security measures, increase employee awareness, work with industry peers, and leverage advanced threat detection tools to counter the evolving cyber threats posed by North Korean IT workers.
The technical proficiency and evasion tactics exhibited by North Korea’s IT workforce make them a significant cyber threat, leading to an increase in data breaches, intellectual property theft, and disruptions to critical services. Mandiant actively supports defense efforts against DPRK cyber operations through partnerships and intelligence sharing, urging affected organizations to join forces in the fight against these cyber threats.