Major companies continue to employ North Korean IT workers

This sound is generated automatically. Let us know if you have feedback.

Brief description of the dive:

IT workers working for the North Korean government are posing as citizens of other countries in order to get a job in Western companiesespecially those in the U.S. technology sector, threat intelligence and incident response firm Mandiant said on Monday.
North Korean-backed IT workers have infiltrated some of the world’s most valuable companies. “Dozens of Fortune 100 organizations unknowingly hired North Korean IT workers” CTO Mandiant Consulting Charles Carmakal he said on Monday Post on LinkedIn.
According to Mandiant’s findings, a widespread insider threat attack campaign generates revenue for the North Korean regime and, at times, enables criminal groups working in concert with the North Korean government to make changes to application source code, conduct espionage, or engage in other malicious activities.

Diving Insight:

FBI in June 2022 warned organizations to be vigilant for people using deepfakes or stolen personal data who apply for remote work.

While Mandiant has not observed any significant malicious activity, the threat intelligence firm is concerned that a cybercriminal group could leverage its internal access to plant backdoors in systems or software in the future.

“This is another type of initial access vector for threat actors, but I also want to emphasize that threat actors are targeting IT and technical roles, potentially giving actors access to systems that other users may not have,” Carmakal said in an email. “This attack technique has the potential to be very effective.”

The noncentralized threat group, which Mandiant tracks as UNC5267, remains very active and is primarily applying for full-time or contract positions that are entirely remote. Some IT workers who are sent by the North Korean government to China, Russia, Africa or Southeast Asia are working multiple jobs at once, Mandiant said.

Non-North Korean instigators provide support services to these IT workers, including money laundering, retrieving and hosting company laptops, and using stolen identities to verify employment. The devices housed in these laptop farms are often connected to keyboard, video, mouse, and commercially available remote monitoring and management tools.

AND A US citizen was arrested in Arizona in May for allegedly operating one of these laptop farms to defraud more than 300 U.S. companies, generating at least $6.8 million in illegal profits between October 2020 and October 2023.

Mandiant shared strategies organizations can use to detect and prevent the hiring of fake talent, including rigorous background checks and thorough interview processes. The company urged HR departments to train recruiting teams to spot inconsistencies and watch for candidates’ reluctance to turn on their cameras or use fake profiles during interviews.

“Threat actors are creating persuasive resumes and have discovered workarounds to several checks throughout the recruiting process,” Carmakal said in an email. “We’re seeing a problem where organizations are simply not aware of this potential threat, and therefore are not aware when reviewing applications and conducting the recruiting process.”

According to Mandiant, technical indicators of compromise include requests to ship company laptops to various locations and the use of remote administration tools, VPN services and mouse manipulation software.

Businesses can also require laptop serial number verification during IT onboarding and implement hardware-based multi-factor authentication to ensure physical access to corporate devices.