Major companies continue to hire North Korean IT workers

This audio is automatically generated. If you have any feedback, please let us know.

Dive Summary:

IT workers at North Korean government facilities are posing as non-North Koreans Finding a job in Western companiesThreat intelligence and incident response firm Mandiant said on Monday that those in the US tech sector are particularly at risk.
North Korean-backed IT workers infiltrated some of the world’s most valuable companies. “Dozens of Fortune 100 organizations unknowingly hired IT workers from North Korea.” Charles Carmakal, CTO of Mandiant Consulting He made a statement on Monday LinkedIn post.
Mandiant found that the widespread insider threat campaign generates revenue for the North Korean regime and sometimes provides threat actors acting in their own interests with access to modify application source code, engage in espionage, or engage in other malicious activities.

Diving Insight:

FBI June 2022 warned organisations to be careful For people applying for remote jobs and using deepfakes or stolen personal information.

While Mandiant has not observed any significant malicious activity, the threat intelligence firm is concerned that the threat actor could use insider access to insert backdoors into systems or software in the future.

“This is another type of initial access vector for threat actors, but I want to emphasize that threat actors are targeting IT and technology positions, potentially giving actors access to systems that other users don’t have,” Carmakal said via email. “This attack technique has the potential to be quite effective.”

The decentralized threat actor, which Mandiant tracks as UNC5267, remains highly active and primarily recruits for contract positions that are full-time or fully remote. Some of the IT workers sent by the North Korean government to live in China, Russia, Africa or Southeast Asia are working multiple jobs at once, Mandiant said.

Non-North Korean facilitators provide support services to these IT workers, such as money laundering, obtaining and hosting company laptops, and using stolen identities to verify employment. The devices hosted in these laptop farms are often connected to IP-based keyboard video mouse devices and commercially available remote monitoring and management tools.

A US citizen arrested in Arizona in May Allegedly operating one of these laptop farms with the intent to defraud more than 300 U.S. companies between October 2020 and October 2023, resulting in at least $6.8 million in illicit proceeds.

Mandiant shared strategies organizations can use to detect and prevent the hiring of fake talent, including rigorous background checks and careful interview processes. The company urged human resources departments to train their recruiting teams to spot inconsistencies and note candidates’ reluctance to turn on cameras or use fake backgrounds during interviews.

“Threat actors are creating convincing resumes and have discovered workarounds for various checks throughout the hiring process,” Carmakal said in an emailed statement. “We are facing a problem where organizations are unaware of this potential threat and therefore unaware when reviewing applications and conducting the hiring process.”

According to Mandiant, technical indicators of the breach include requests to ship corporate laptops to different locations, the use of remote administration tools, VPN services, and mouse-wagging software.

Companies can also require laptop serial number verification during IT onboarding and implement hardware-based multi-factor authentication to guarantee physical access to corporate devices.