{"id":14569,"date":"2025-08-06T07:04:07","date_gmt":"2025-08-06T07:04:07","guid":{"rendered":"https:\/\/newestek.com\/?p=14569"},"modified":"2025-08-06T07:04:07","modified_gmt":"2025-08-06T07:04:07","slug":"how-not-to-hire-a-north-korean-it-spy","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14569","title":{"rendered":"How not to hire a North Korean IT spy"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>CISOs looking for new IT hires already struggle with <a href=\"https:\/\/www.csoonline.com\/article\/657598\/cybersecurity-workforce-shortage-reaches-4-million-despite-significant-recruitment-drive.html\">talent market shortages<\/a> and <a href=\"https:\/\/www.csoonline.com\/article\/2074581\/the-cybersecurity-skills-shortage-a-ciso-perspective.html\">bridging cybersecurity skills gaps<\/a>. But now they face a growing challenge from an unexpected source: sanctions-busting <a href=\"https:\/\/www.csoonline.com\/article\/2111003\/us-ai-experts-targeted-in-cyberespionage-campaign-using-sugargh0st-rat.html\">North Korean software developers<\/a> posing as potential hires.<\/p>\n<p><a href=\"https:\/\/www.computerworld.com\/article\/3511235\/what-north-koreas-infiltration-into-american-it-says-about-hiring.html\">North Korea is actively infiltrating Western companies<\/a> using skilled IT workers who use fake identities to pose as remote workers with foreign companies, typically but not exclusively in the US.<\/p>\n<p>These <a href=\"https:\/\/www.csoonline.com\/article\/657312\/north-koreas-state-hacking-program-is-varied-fluid-and-nimble.html\">North Korean IT workers<\/a> use <a href=\"https:\/\/www.csoonline.com\/article\/571847\/fbi-arrests-social-engineer-who-allegedly-stole-unpublished-manuscripts-from-authors.html\">fake identities<\/a>, often stolen from real US citizens, to apply for freelance contracts or remote positions.<\/p>\n<p>Estimates of the extent of the crime are hard to come by, but a United Nations Panel of Experts report last year estimated 3,000 North Korean IT workers abroad \u2014 often in either China or Southeast Asia \u2014 and another 1,000 more operating inside North Korea were generating between $250 million and $600 million per year.<\/p>\n<p>The schemes \u2014 effectively a state-sanctioned crime syndicate \u2014 are part of illicit revenue generation efforts by the North Korean regime, which faces <a href=\"https:\/\/www.csoonline.com\/article\/575387\/us-sanctions-four-north-korean-entities-for-global-cyberattacks.html\">financial sanctions<\/a> over its nuclear weapons program, as well as a component of the <a href=\"https:\/\/www.csoonline.com\/article\/657312\/north-koreas-state-hacking-program-is-varied-fluid-and-nimble.html\">country\u2019s cyberespionage activities<\/a>.<\/p>\n<p>Recent examples of the trend have included the use of deepfake technologies, extortion scams, and increased expansion into Europe. In 2025, DPRK agents expanded their focus to include cybersecurity roles, and they increased the use of female personas, the <a href=\"https:\/\/news.sophos.com\/en-us\/2025\/05\/08\/nickel-tapestry-expands-fraudulent-worker-operations\/\">Sophos Counter Threat Unit Research Team reports<\/a>.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Multimillion-dollar fake worker cell busted<\/h2>\n<p>The <a href=\"https:\/\/ofac.treasury.gov\/media\/923126\/download?inline\">US Treasury department first warned about the tactic in 2022<\/a>. Thousands of highly skilled IT workers from North Korea are taking advantage of the demand for software developers to obtain freelance contracts from clients around the world, including in North America, Europe, and East Asia.<\/p>\n<p>\u201cAlthough DPRK [North Korean] IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK\u2019s malicious cyber intrusions,\u201d the Treasury department warned.<\/p>\n<p>\u201cThese IT workers often rely on their overseas contacts to obtain freelance jobs for them and to interface more directly with customers,\u201d it adds.<\/p>\n<p>North Korean IT workers present themselves as South Korean, Chinese, Japanese, or Eastern European, and as US-based teleworkers.<\/p>\n<p>DPRK freelancers are using front companies \u2014 posing as software development or tech consulting firms \u2014 in China, Russia, Southeast Asia, and Africa to mask identities and secure jobs in Western companies, according to <a href=\"https:\/\/www.sentinelone.com\/labs\/dprk-it-workers-a-network-of-active-front-companies-and-their-links-to-china\/\">research by SentinelOne<\/a>.<\/p>\n<p>In the years since the Treasury department\u2019s first warning, examples of the ruse in action are increasingly emerging, not least through ongoing prosecutions.<\/p>\n<p>For example, Christina Chapman, of Litchfield Park, Ariz., was jailed in July 2025 following her <a href=\"https:\/\/www.justice.gov\/usao-dc\/pr\/arizona-woman-sentenced-17m-it-worker-fraud-scheme-illegally-generated-revenue-north\">conviction for fraud, identity theft, and money laundering charges<\/a> for orchestrating an elaborate scheme that enabled North Korean IT workers to pose as US citizens and residents using stolen identities to obtain jobs at more than 300 US companies and two international firms. The conspiracy generated more than $17 million in illicit revenue over the course of three years between October 2020 and October 2023.<\/p>\n<p>US payment platforms and online job site accounts were abused to secure jobs at a wide range of companies, including a major TV network, a car manufacturer, a Silicon Valley technology firm, and an aerospace company. \u201cSome of these companies were purposely targeted by a group of DPRK IT workers,\u201d according to <a href=\"https:\/\/www.justice.gov\/opa\/pr\/charges-and-seizures-brought-fraud-scheme-aimed-denying-revenue-workers-associated-north\">US prosecutors<\/a>, who add that two US government agencies were \u201cunsuccessfully targeted.\u201d<\/p>\n<p>Chapman ran a \u201claptop farm,\u201d hosting the overseas IT workers\u2019 computers inside her home so it appeared that the computers were located in the US. The 50-year-old received and forged payroll checks, and she laundered direct debit payments for salaries through bank accounts under her control.<\/p>\n<p>Much of the $17.1 million received from the work was falsely reported to tax authorities using the stolen identities of 68 US citizens.<\/p>\n<p>The case is only the most high profile of several US prosecutions (examples <a href=\"https:\/\/www.justice.gov\/opa\/pr\/fourteen-north-korean-nationals-indicted-carrying-out-multi-year-fraudulent-information\">here<\/a> and <a href=\"https:\/\/www.justice.gov\/opa\/pr\/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote\">here<\/a>) involving North Korean IT worker scams.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Tradecraft<\/h2>\n<p>Insider risk management firm <a href=\"https:\/\/www.dtexsystems.com\/resources\/i3-threat-advisory-inside-the-dprk\/\">DTEX reports that the techniques leveraged by DPRK agents to evade detection have evolved<\/a>, reducing reliance on traditional \u201claptop farms,\u201d to include tactics such as:<\/p>\n<ul class=\"wp-block-list\">\n<li>Disabling secure access service edge tools (e.g., Zscaler\/Netskope) to create a more permissive environment for remote access tools.<\/li>\n<li>Abusing privileged access from one organization to infiltrate another. This often involves VDI web-based applications such as VMware Horizon and Citrix XenDesktop.<\/li>\n<\/ul>\n<p>An <a href=\"https:\/\/flashpoint.io\/blog\/flashpoint-investigation-uncovering-the-dprks-remote-it-worker-fraud-scheme\/\">investigation by threat intel agency Flashpoint<\/a> uncovered additional details on the tactics and procedures used by North Korean threat actors.<\/p>\n<p>It confirmed findings by US prosecutors that fake US companies, including Helix and Baby Box, were used to embellish resumes and provide fake references.<\/p>\n<p>Emails from the bogus companies were tied to a compromised host located in Lahore, Pakistan. The Korean language input method was installed alongside a Chinese time zone setting on this host.<\/p>\n<p>Flashpoint\u2019s researchers infiltrated this host, finding numerous saved credentials from various corporate human resources sites and job boards, indicating that it had been used intensively to apply to dozens of tech jobs throughout 2023.<\/p>\n<p>The researchers found Google Translate URLs capturing dozens of translations between English and Korean.<\/p>\n<p>The researchers also uncovered numerous messages containing advice and tradecraft, such as discussions of how to persuade a manager not to require use of a camera during meetings and about voice manipulation or dubbing.<\/p>\n<p>\u201cSome of the messages also expressed frustration and disappointment directed at a remote worker participating in the scheme, observing that they had failed to find new jobs and, in one case, may have been found out,\u201d Flashpoint reports.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>KnowBe4 gets a lesson in security awareness<\/h2>\n<p>How this type of malfeasance plays out from the perspective of a targeted firm was revealed by security awareness vendor <a href=\"https:\/\/blog.knowbe4.com\/how-a-north-korean-fake-it-worker-tried-to-infiltrate-us\">KnowBe4\u2019s candid admission in July 2024 that it unknowingly hired a North Korean IT spy<\/a>.<\/p>\n<p>The new hire was promptly detected after he infected his work laptop with malware before going to ground when the incident was detected and refusing to engage with security response staff.<\/p>\n<p>The software engineer, hired to join KnowBe4\u2019s internal IT AI team, passed video-based interviews and background checks. The \u201cjob seeker was using a valid but stolen US-based identity.\u201d Crucially, it subsequently emerged, the picture on the application was \u201cenhanced\u201d using AI tools from a stock image photo.<\/p>\n<p>The new hire had failed to complete his induction process, so he had no access to KnowBe4\u2019s systems; as a result, no data breach occurred. \u201cNo illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems,\u201d according to the vendor, which is treating the whole incident as a \u201clearning experience.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>\u2018Thousands\u2019 of North Korean IT workers seeking jobs<\/h2>\n<p>A growing and substantial body of evidence suggests KnowBe4 is but one of many organizations targeted by illicit North Korean IT workers.<\/p>\n<p>Mandiant, the Google-owned threat intel firm, reported last year that <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/north-korea-cyber-structure-alignment-2023\/\">\u201cthousands of highly skilled IT workers from North Korea\u201d are hunting work<\/a>.<\/p>\n<p>\u201cThese workers acquire freelance contracts from clients around the world \u2026 although they mainly engage in legitimate IT work, they have misused their access to enable malicious cyber intrusions carried out by North Korea,\u201d according to Mandiant.<\/p>\n<p>Email addresses used by Park Jin Hyok (PJH), a notorious North Korean cyberspy linked to the development of WannaCry and the infamous $81 million raid on Bangladesh Bank, appeared on job sites prior to Park\u2019s US indictment for cybercrimes. \u201cIn the time between the Sony attack [2014] and the arrest warrant issued, PJH was observed on job seeker platforms alongside [other North Korean] DPRK\u2019s IT workers,\u201d according to Mandiant.<\/p>\n<p>CrowdStrike reported that a North Korean group it dubbed \u201cFamous Chollima\u201d infiltrated <a href=\"https:\/\/www.csoonline.com\/article\/3481659\/north-korean-group-infiltrated-100-plus-companies-with-imposter-it-pros.html\">more than 100 companies with imposter IT pros<\/a>. Phony workers from the alleged DPRK-nexus group, whose targets included aerospace, defense, retail, and technology organizations predominantly in the US, performed enough to keep their jobs while attempting to exfiltrate data and <a href=\"https:\/\/www.csoonline.com\/article\/3487743\/attackers-increasingly-using-legitimate-remote-management-tools-to-hack-enterprises.html\">install legitimate remote monitoring and management (RMM) tools<\/a> to enable numerous IP addresses to connect to victims\u2019 systems.<\/p>\n<p>Suspected North Korean faux IT workers unsuccessfully tried to use deepfake video technology in a job interview with security vendor Exabeam. The ruse was easily detected, but as AI technology evolves such schemes will only become harder to detect, Exabeam CISO Kevin Kirkwood warned.<\/p>\n<p>Threat intel firm Secureworks noted in its <a href=\"https:\/\/www.secureworks.com\/resources\/rp-state-of-the-threat-2024\">2024 State of the Threat report<\/a> that fake IT worker scams are evolving, as the firm detected multiple attempts by fraudulent workers to demand extortionate payments after the theft of proprietary or sensitive information after they were hired by victim companies.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Crossing continents<\/h2>\n<p>North Korean IT worker scams are also expanding into Europe.<\/p>\n<p>While the US remains a prime target, increased obstacles due to a combination of law enforcement action and greater awareness, have prompted scammers to target European businesses, according to <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/dprk-it-workers-expanding-scope-scale\">research from Google<\/a>.<\/p>\n<p>For example, suspected DPRK workers have undertaken UK projects in areas such as web development, bot development, content management system (CMS) development, and blockchain technology.<\/p>\n<p>This indicates a \u201cbroad range of technical expertise, spanning traditional web development to advanced blockchain and AI applications,\u201d according to Google.<\/p>\n<p>Separate investigations have uncovered IT worker personas seeking employment in Germany and Portugal.<\/p>\n<p>DPRK IT workers are obtaining work through various online platforms, including Upwork, Telegram, and Freelancer. Payment was sought through various means, including cryptocurrency, the Wise money transfer service, and Payoneer.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Extortion playbook<\/h2>\n<p>Google adds that the previously identified tactic of post-employment extortion attempts by DPRK IT worker crews has ramped up.<\/p>\n<p>\u201cRecently fired IT workers threatened to release their former employers\u2019 sensitive data or to provide it to a competitor,\u201d Google researchers reported. \u201cThis data included proprietary data and source code for internal projects.\u201d<\/p>\n<p>Previously, DPRK IT workers terminated from their places of employment might seek to obtain references or attempt to get rehired, but law enforcement action and greater awareness has prompted some groups to adopt more aggressive measures, according to Google. North Korean groups have begun to conduct operations within corporate virtualized infrastructure, <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/dprk-it-workers-expanding-scope-scale\">Google warned in April<\/a>.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Detection is \u2018challenging\u2019<\/h2>\n<p>Using chatbots, \u201cpotential hires\u201d are perfectly tailoring their resumes, and further leverage AI-created deepfakes to pose as real people.<\/p>\n<p>North Koreans operatives commonly use face-changing software during video interviews or rely on AI assistants to help answer questions in real-time.<\/p>\n<p>Crystal Morin, former intelligence analyst for the US Air Force turned cybersecurity strategist at Sysdig, told CSOonline that North Korea is primarily targeting US government entities, defence contractors, and tech firms hiring IT workers.<\/p>\n<p>\u201cCompanies in Europe and other Western nations are also at risk,\u201d according to Morin. \u201cNorth Korean IT workers are trying to get jobs either for financial reasons \u2014 to fund the state\u2019s weapons program \u2014 or for cyberespionage.\u201d<\/p>\n<p>Morin added: \u201cIn some cases, they may try to get jobs at tech companies in order to steal their intellectual property before using it to create their own knock-off technologies.\u201d<\/p>\n<p>\u201cThese are real people with real skills in software development and not always easy to detect,\u201d she warned.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Countermeasures<\/h2>\n<p>IT managers and CISOs need to work with their colleagues in human resources to more closely vet applicants. Additional technical controls might also help.<\/p>\n<p>Here\u2019s some suggestions for recommended process improvements:<\/p>\n<ul class=\"wp-block-list\">\n<li>Conduct live video-chats with prospective remote-work applicants and ask them about their work projects<\/li>\n<li>Look for career inconsistencies in resumes or CVs<\/li>\n<li>Check references by calling the referee to confirm any emailed reference<\/li>\n<li>Confirm supplied residence address<\/li>\n<li>Review and strengthen access controls and authentication processes<\/li>\n<li>Monitor supplied equipment for piggybacking remote access<\/li>\n<\/ul>\n<p>Post-hire checks need to continue. Employers should be wary of sophisticated use of VPNs or VMs for accessing company system, according to KnowBe4. Use of VoIP numbers and lack of digital footprint for provided contact information are other red flags, the vendor added.<\/p>\n<p>David Feligno, lead technical recruiter at managed services provider Huntress, told CSOonline: \u201cWe have a multiple-step process for trying to verify if a background looks too good to be true \u2014 meaning is this person stealing someone else\u2019s profile and claiming as their own, or simply lying about their current location. We first check if the candidate has provided a LinkedIn profile that we can review against their current resume. If we find that the profile location does not match the resume \u2014 says on resume NYC, but on LinkedIn profile says Poland \u2014 we know this is a fake resume.<\/p>\n<p>\u201cIf it is the same, did this person just create a LinkedIn profile recently and have no connections or followers?\u201d<\/p>\n<p>Huntress also checks that an applicants\u2019 supplied phone number is valid, as well as running a Google search on them.<\/p>\n<p>\u201cAll of the above will save you a great deal of time, and if you see anything that does not match, you know you are dealing with a fake profile, and it happens a lot,\u201d Feligno concluded.<\/p>\n<p>Brian Jack, KnowBe4\u2019s CISO, agrees that fake remote employees and contractors are something every organization needs to worry about, adding: \u201cCISO\u2019s should review the organization\u2019s hiring processes and ensure that their overall risk management practices are inclusive of hiring.\u201d<\/p>\n<p>Hiring teams should be trained to ensure they are checking resumes and references more thoroughly to be sure the person they are interviewing is real and is who they say they are, Jack advises. Best would be to meet candidates in person along with their government-issued ID or using trusted agents, such as background checking firms \u2014 especially as use of AI enters into the mix of hiring schemes such as these.<\/p>\n<p>\u201cOne thing I like to do as a hiring manager is ask some questions that would be hard to prepare for and hard for an AI to answer on the fly, but easy for a person to talk about if they were who they claim to be,\u201d Jack says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>CISOs looking for new IT hires already struggle with talent market shortages and bridging cybersecurity skills gaps. But now they face a growing challenge from an unexpected source: sanctions-busting North Korean software developers posing as potential hires. North Korea is actively infiltrating Western companies using skilled IT workers who use fake identities to pose as remote workers with foreign companies, typically but not exclusively in&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14569\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14569","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14569"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14569\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14569"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}