Blog
DPRK Remote Workers Hiring Scheme: Lessons Learned
In mid July 2024, a US security awareness training company revealed that it unwittingly hired a North Korean hacker using a stolen identity for a remote Principal Software Engineer position. This example of a successful employment fraud is one of many in which the Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) information technology (IT) workers successfully used fake personas and stolen identities of American citizens to fraudulently obtain remote employment from unwitting companies in the United States. Nisos previously published a research post in December 2023 warning companies of the fraudulent employment scheme, in which Nisos investigators revealed the tactics, techniques, and procedures (TTPs) of these threat actors. As a follow up to that information Nisos investigators provide further insight into the best practices to consider when conducting interviews and vetting applicants to better protect themselves from unauthorized access to sensitive company systems and data by North Korean threat actors.
Anomalies in Applicants and References
Nisos has significant experience in helping our clients identify, investigate, and prevent employment fraud schemes. During our investigations into these schemes we have identified the following best practices for screening applicants and references to lower the risk of hiring DPRK IT workers for remote jobs.
Applicant Screening Best Practices
Ensure the interview process involves on-camera and/or in-person interviews.
Nisos investigators found that DPRK IT workers often updated their mailing address prior to their equipment being shipped to them. This is an indication that the identity and information provided during the hiring process may have been stolen.
Once an offer is accepted, the threat actor will ask for the laptop to be shipped to a different location from any of the ID documents provided during the application process, claiming they have moved or temporarily relocated. We recommend that our clients conduct research into the new address to verify that it is linked to the individual.
Reference Screening Best Practices
Tactics, Techniques, and Procedures
Common DPRK IT workers TTPs highlighted in the December 2023 report include the following, which are only a subset of indicators identified by Nisos investigators.
Lessons Learned For Enterprise Leaders
The North Korean IT worker scheme is pervasive and targets companies of all sizes and in numerous industries, including cybersecurity. Learning opportunities for enterprise leaders include the following:
How Can Nisos Help You?
Successful employment fraud investigations rely on a combination of external and internal investigation components. Nisos’ non-attributable investigation methods combined with our client’s own network infrastructure research have successfully identified DPRK remote worker employment fraud and traditional employment fraud indicators. Partnering with an intelligence and investigations firm like Nisos can help enterprise leaders more quickly understand, prevent and in some cases cease unwanted activity within their companies to protect their own and their client’s sensitive data.
About Nisos®
Nisos is the Managed Intelligence Company. We are a trusted digital investigations partner, specializing in unmasking threats to protect people, organizations, and their digital ecosystems in the commercial and public sectors. Our open source intelligence services help security, intelligence, legal, and trust and safety teams make critical decisions, impose real world consequences, and increase adversary costs. For more information, visit: https://www.nisos.com.