North Korean IT workers are extorting employers, FBI warns
The FBI is on a mission to raise awareness about the threat that North Korean IT workers present to organizations in the US and around the world.
While corporate espionage comes to mind first, the threat goes beyond that: “In recent months, in addition to data extortion, FBI has observed North Korean IT workers leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”
From collecting paychecks to extortion
US authorities have been warning about North Korean hackers posing as IT freelancers since 2022, but the distinction between North Korean hackers and North Korean individuals covertly doing non-malicious IT work for companies abroad has always been blurry.
As the FBI previously noted, Democratic People’s Republic of Korea IT workers have been known to use the privileged access gained as contractors to enable DPRK’s malicious cyber intrusions.
“Some overseas-based DPRK IT workers have provided logistical support to DPRK-based malicious cyber actors, although the IT workers are unlikely to be involved in malicious cyber activities themselves. DPRK IT workers may share access to virtual infrastructure, facilitate sales of data stolen by DPRK cyber actors, or assist with the DPRK’s money- laundering and virtual currency transfers.”
The FBI now warns about these workers copying company code repositories to their own (GitHub) user profiles and personal cloud accounts, and attempts to harvest company credentials and session cookies, so they can initiate work sessions from non-company devices for further compromise opportunities.
And sometimes, when their true nature is discovered by the company, North Korean IT workers’ parting shot is to hold stolen proprietary data or code hostage.
“In some instances, North Korean IT workers have publicly released victim companies’ proprietary code,” the Bureau added.
Defending against the North Korean IT worker threat
There’s an entire ecosystem out there set up to help North Korean IT workers get employed by businesses around the world and “earn” money for Pyongyang’s government: from people who run front and IT staffing companies that facilitate their employment, laptop farms so it would appear that the North Korean workers are based in the US, to those who receive the workers’ pay on their (US) banking account and then forward the money onwards.
Organizations should do everything in their power to prevent employing these individuals and, failing that, to discover and stop their malicious actions as quickly as possible.
To succeed in the former, organizations should:
- Implement identity-verification processes during interviewing, onboarding, and throughout the employment of any remote worker
- Educate staff on tell-tale signs of the North Korean IT worker threat: typos in CVs, reused phone numbers and email addresses, the use of deepfakes (including face-swapping during video job interviews), changes in address or payment platforms during the onboarding process, etc.
“Complete as much of the hiring and onboarding process as possible in person,” the FBI advises. “Use ‘soft’ interview questions to ask applicants for specific details about their location or education background.”
Finally, organizations using third-party staffing firms should check to see if those companies have robust hiring practices.
But if all that fails and a North Korean worker manages to get hired and gets access to the organization’s network, defenses should be in place to detect and minimize the possibility of malicious actions.
The FBI advises monitoring network logs and browser session activity to identify data exfiltration, monitoring network traffic for remote connections to devices or the installation of prohibited remote desktop protocols or software, monitoring endpoints for the use of suspect software, and practicing the least privilege principle on company networks.