North Korean IT Worker Threat: What Businesses Need To Know
In an increasingly connected world, businesses are facing a new and sophisticated cyber threat—North Korean IT workers infiltrating companies by posing as remote employees. Since 2022, cybersecurity firm Mandiant has been tracking these operatives, who disguise their true identities to gain employment in global industries, generating revenue for the North Korean regime. This revenue supports the country’s weapons of mass destruction (WMD) and missile programs, while also helping the regime evade international sanctions.
A Growing Threat
North Korean IT workers, often operating from countries like China and Russia, apply for remote positions using fake identities and resumes. Once hired, they gain access to company systems, performing tasks ranging from simple coding to network administration. These workers may hold multiple jobs at once, pulling in salaries from different companies to support North Korea's government. In one case, a facilitator compromised over 60 identities, impacting more than 300 U.S. companies and generating millions in revenue for these workers.
Mandiant’s research, which tracks these operations under the label UNC5267, highlights the broader goals of North Korean IT operatives: illicit financial gain, maintaining long-term access to corporate networks, and, potentially, conducting espionage or disruptive activities in the future.
How They Operate
These IT workers don’t operate alone. Often, they collaborate with facilitators—non-North Korean individuals—who help them secure jobs, launder money, and handle equipment like company laptops. These workers also make use of stolen identities to apply for roles, often listing U.S. addresses and foreign educational credentials, making it difficult for employers to verify their backgrounds.
Once hired, they use a variety of tools and techniques to conceal their real locations. Tools like GoToMeeting, AnyDesk, and TeamViewer allow them to access corporate systems remotely. Many connect through virtual private networks (VPNs) like Astrill VPN, which obscure their actual locations, often North Korea or China. A common tactic includes the use of “laptop farms,” where facilitators manage multiple company laptops remotely, allowing North Korean workers to control the devices and work across several jobs simultaneously.
What Businesses Can Do
To protect against this emerging threat, businesses must take proactive measures when hiring and managing remote employees:
- Enhanced Background Checks: Companies should conduct more rigorous background checks on job candidates, verifying details like education and employment history. Using biometric data or requiring notarized proof of identity can also help prevent fraudulent applications.
- Monitoring Remote Access: IT departments should closely monitor remote connections to corporate networks, especially those using tools like LogMeIn, Chrome Remote Desktop, and AnyDesk. It’s important to verify that company laptops are being used from the locations that employees claim to be based in.
- Spotting Red Flags: North Korean IT workers often refuse to participate in video interviews or use AI-modified images in their profiles. Employers should require video calls as part of the hiring process to confirm the identity of candidates, and they should look for inconsistencies in resumes or applicant behavior.
- Collaboration and Training: Companies should train their HR and IT teams to recognize suspicious activity and collaborate with cybersecurity professionals and industry peers to share threat intelligence. Staying up to date on the latest cyber risks is crucial in defending against threats like UNC5267.
Why This Matters
The activities of North Korean IT workers pose a significant risk to businesses, especially those in tech, finance, and other industries handling sensitive data. These operatives, while primarily focused on earning money, have the potential to use their access for more dangerous purposes, such as data theft or future cyberattacks.
With the DPRK’s increasing reliance on cyber operations to support its regime, experts anticipate that this threat will only grow. For businesses, being aware of the tactics used by North Korean IT workers is critical to preventing infiltration and maintaining the security of their networks.
Looking Ahead
To stay ahead of these threats, businesses must take a comprehensive approach to cybersecurity. This includes rigorous hiring processes, robust monitoring of remote access, and continuous education for employees on current threats. By working together and sharing information on emerging cyber risks, companies can better protect themselves from the growing cyber threat posed by North Korea’s IT workforce.
In an era where remote work is commonplace, the risks associated with hiring unseen employees are rising. Staying vigilant, adopting strict security practices, and leveraging the latest threat intelligence can make a significant difference in safeguarding your organization from these sophisticated actors.