DPRK threat actors pose as IT workers.
By Tim Nodar, CyberWire senior staff writer
Oct 23, 2023

Remote work, sure, but it’s better if it’s not coming straight outta Sinanju.

DPRK threat actors pose as IT workers.

The FBI has issued a public service announcement offering “guidance to the international community, the private sector, and the public to better understand and guard against the inadvertent recruitment, hiring, and facilitation” of North Korean IT workers. 

Hiring some talent from parts unknown? Maybe think twice. 

The Bureau notes that “[t]he hiring or supporting of DPRK IT workers continues to pose many risks, ranging from theft of intellectual property, data, and funds, to reputational harm and legal consequences, including sanctions under U.S., ROK, and United Nations (UN) authorities.”

The advisory outlines the following red flags associated with these IT workers:

  • “Unwillingness or inability to appear on camera, conduct video interviews or video meetings; inconsistencies when they do appear on camera, such as time, location, or appearance.
  • “Undue concern about requirements of a drug test or in person meetings and having the inability to do so.
  • “Indications of cheating on coding tests or when answering employment questionnaires and interview questions. These can include excessive pausing, stalling, and eye scanning movements indicating reading, and giving incorrect yet plausible-sounding answers.
  • “Social media and other online profiles that do not match the hired individual's provided resume, multiple online profiles for the same identity with different pictures, or online profiles with no picture.
  • “Home address for provision of laptops or other company materials is a freight forwarding address or rapidly changes upon hiring.
  • “Education on resume is listed as universities in China, Japan, Singapore, Malaysia, or other Asian countries with employment almost exclusively in the United States, the Republic of Korea, and Canada.
  • “Repeated requests for prepayment; anger or aggression when the request is denied.
  • “Threats to release proprietary source codes if additional payments are not made.
  • “Account issues at various providers, change of accounts, and requests to use other freelancer companies or different payment methods
  • “Language preferences are in Korean but the individual claims to be from a non-Korean speaking country or region.”

An insider threat established by infiltration.

Ken Westin, Field CISO at Panther Labs, commented, “This deals in the realm of insider threat and isn’t something security should be responsible for alone, this type of threat requires collaboration between security and HR.”

There’s a role here for traditional vetting, the unglamorous legwork of the background check. “In these cases either someone was not conducting background checks properly or at all, or the North Koreans did a really good job at opsec for these individuals with fake identification and more. Although the awning of money to North Korea is a concern, I think the larger threat is missed: we had potential North Korean spies in many organizations' IT infrastructure with access to sensitive data and one has to wonder if they weren’t also conducting cyber espionage.”