‘How not to hire a North Korean plant posing as a techie’ guide updated by US and South Korean authorities

Advise turning off and never using remote desktop protocol, prohibiting private VPNs, not trusting recruiters’ due diligence

US and South Korean authorities have updated their guidance on how to avoid hiring North Korean agents seeking work as freelance IT practitioners.

Thousands of North Korean techies are thought to prowl the world’s freelance platforms seeking work outside the Republic. Kim Jong Un’s regime uses the workers to earn hard currency, and infiltrate organizations they work for to steal secrets and plant malware. The FBI has previously warned employers to watch for suspicious behavior such as logging in from multiple IP addresses, working odd hours, and inconsistencies in name spellings across different online platforms.

The updated advice adds other indicators that freelancer you are thinking about hiring could be a North Korean plant, including:

  • Repeated requests for prepayment followed by “anger or aggression when the request is denied”;
  • Threats to release proprietary source codes if additional payments are not made;
  • Using a freight forwarder’s address as the destination for a company laptop rather than a home address, and changing that address frequently;
  • Evading in-person meetings or requests for drug tests;
  • Changing payment methods or accounts on freelance-finder platforms;
  • Having multiple online profiles for the same identity with different pictures, or online profiles with no picture.

The updated guidance suggests requiring recruitment companies to document their background checking processes, to be sure that they can screen out North Korean stooges. Conducting your own due diligence on workers suggested by recruiters is also recommended.

Another piece of advice recommends you should “Keep records, including recordings of video interviews, of all interactions with potential employees.” North Korean freelancers, per previous advice, will be shy of video interviews.

The agencies also recommend technological measures including:

  • Preventing use of remote desktop protocol on all company devices and prohibit using remote desktop applications for work;
  • Locking down all administrative permissions;
  • Installing insider threat monitoring software on company devices;
  • Regularly geo-locating company laptops to verify they match the logins of employees' addresses;
  • Requiring freelancers to shut off commercial VPNs when accessing company networks;
  • Adopting zero-trust and need-to-know policies;
  • Avoid granting access to proprietary information, if possible.

Plenty of that is solid advice for any IT shop under any circumstances.

The advice was published a day after the US Justice department announced the seizure of 17 website domains used by North Korean information technology workers in a scheme to defraud US and foreign businesses, evade sanctions, and fund the development of the North’s weapons program.

US authorities have previously seized $1.5 million of revenue generated by those sites.

North Korea has “flooded the global marketplace with ill-intentioned information technology workers,” said Special Agent in Charge Jay Greenberg of the FBI St. Louis Division.

“This scheme is so prevalent that companies must be vigilant to verify whom they're hiring. At a minimum, the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities. Without due diligence, companies risk losing money or being compromised by insider threats they unknowingly invited inside their systems.”

Check Chinese professors, too

The updated advice was issued the day after the nations of the Five Eyes alliance – Australia, Canada, New Zealand, the UK and the USA – warned at a summit that China’s industrial espionage efforts have again increased.

As part of the Five Eyes announcement, Mike Burgess, director-general of security at the Australian Security Intelligence Organisation, revealed that the agency recently detected and disrupted a Chinese operation involving a visiting professor who came to work at an unnamed Australian research institution but was first recruited by Chinese intelligence.

“The spymasters gave him money and a shopping list of intelligence requirements and sent him to Australia,” Burgess revealed.

“The academic set his Australian students research assignments that specifically covered many of the intelligence requirements," he recounted.

“ASIO intervened and removed the professor from the country before any harm could be done,” Burgess said, adding “This sort of thing happens every day in Australia, just as it happens in all our countries.” ®

More about


Send us news

Other stories you might like