A recent incident at a security firm brought to light the presence of a sophisticated network of fake IT workers, carefully crafted by North Korean threat actors to infiltrate US companies for financial gain. This accidental hiring of a North Korean threat actor by KnowBe4, a security awareness training firm, shed light on the elaborate tactics employed by North Korea to plant operatives within organizations.
The hired software engineer turned out to be a North Korean threat actor who immediately started loading malware onto his company-issued workstation. Fortunately, the malicious operation was detected and shut down before any damage was done. However, this incident served as a wake-up call about the level of sophistication of North Korea’s state-sponsored program that deploys operatives disguised as legitimate IT workers.
Following the public disclosure of the incident, KnowBe4 received reports from more than a dozen other organizations that had similar encounters with North Korean actors. The firm released a white paper detailing the widespread problem of accidentally hiring fake North Korean employees, with companies of all sizes, from Fortune 500 organizations to small businesses, falling victim to this scheme.
According to Roger Grimes, KnowBe4 data-driven defense evangelist, the issue of North Korean fake employees is a complex and industrial-scaled operation that may have ensnared thousands of organizations worldwide. The actors involved in these schemes are exceptionally skilled and adept at bypassing traditional background checks and interview processes.
Erich Kron, security awareness advocate at KnowBe4, emphasized that the growing trend of remote work and the global hiring practices of organizations have made them vulnerable to such threats. The ability of North Korean operatives to navigate through the hiring process highlights the need for organizations to be vigilant and implement strict verification procedures for new hires.
KnowBe4 delved into the internal workings of the North Korean program and discovered that the primary goal is financial gain, with operatives also engaging in cyber espionage and corporate sabotage activities. The scheme involves North Korean-based leaders, employees and managers based in other countries, scheme assisters in the target country, and infrastructure for supporting various illicit activities.
The individuals recruited for these schemes are often skilled IT workers trained at North Korean universities and located in foreign countries. They work in call-center-like settings and are unwitting victims of a form of human trafficking, with most of the revenues benefiting the North Korean government.
To help organizations identify North Korean threat actors during the hiring process, KnowBe4 provided guidance on spotting fake identities, credentials, work history, and suspicious behaviors. After hiring, organizations should monitor employee activities for unusual logins, IP addresses, or payment requests, as these could be signs of malicious intent.
In the event of suspicion, organizations are urged to report it immediately to senior management and take steps to secure company devices and monitor employee activities. By reviewing and strengthening hiring processes, organizations can mitigate the risk of inadvertently hiring North Korean operatives.
Reflecting on the incident, KnowBe4 emphasized the importance of continuous improvement in security measures and sharing lessons learned to help others avoid similar situations. By remaining vigilant and proactive, organizations can protect themselves from the threat of fake North Korean employees and ensure the security of their operations.
Croatian 
English 
Albanian 
Serbian 