How to spot a North Korean agent before they get comfy inside payroll

Mandiant publishes cheat sheet for weeding out fraudulent IT staff

Against a backdrop of rising exposure to North Korean agents seeking (mainly) US IT roles, organizations now have a cheat sheet to help spot potential operatives.

To understand the common mistakes, threat intel and incident response specialists at Mandiant interviewed "dozens" of organizations that fell victim to the growing trend of North Korean moles securing IT jobs in the US. Typically based in China and Russia on order of their government, the North Korean workers send their lucrative salaries to support Kim Jong Un's military and also attempt to secure long-term access to employers' networks and systems for future financial exploitation.

These interviews yielded a long list of tips for employers to heed when hiring for their next roles, although many can be boiled down to appropriate due diligence.

For example, an analysis of one resume belonging to a known North Korean agent – one of many examined by Mandiant – showed that simply searching the web for the common data points led to the discovery of jobseeker profiles under a different name.

Scouring the web for the email addresses provided by applicants is a good way of finding these kinds of linked accounts. If they lead to profiles with different names from the one supplied in the application, it may mean that the applicant is applying for multiple roles across various companies.

It's widely known that some remote IT workers, North Korean or not, try to chance their luck by juggling jobs at multiple companies, all to earn extra cash before the behavior is eventually sussed out.

However, it's something Pyongyang agents are especially known for when exploiting the US job market, so indicators of multiple identities should be seen as a major red flag for employers.

Other recommended actions for employers include mandating comprehensive background checks. It sounds basic enough, but those requiring things like biometric identity verification and notarized proof of identity will go a long way in identifying fraudulent applicants, or even deterring them in the first place.

Hiring managers carrying out interviews should also demand cameras to be turned on during video calls so the video feed can be checked against the photo provided by the applicant. Again, it sounds basic, but the numerous warnings about the threat of fraudulent North Korea workers show how widely these seemingly basic measures aren't being taken.

Human resources departments should also be trained in how to spot the common themes among North Korean fraudulant applicants, including how to detect if AI was used to alter supplied images.

Mandiant noted that many of the resumes it evaluated were completed with doctored profile images that were likely stolen from public LinkedIn profiles.

Also knowing the common indicators of a fraudulent resume can help identify which applicants require further inspection. For example, Mandiant said North Korean agents often show their hand by listing a US address as their home, but report attending an overseas university in the likes of Japan, Hong Kong, and Singapore. Education institutions in these regions don't often accept overseas students, so it should raise concerns about the application's legitimacy.

"This discrepancy may serve to hinder potential North American employers from verifying or contacting these overseas institutions regarding the applicant," Mandiant blogged. "Mandiant has also observed that the universities listed on the background check may not align with the candidate's education background stated in their resume, including time of enrollment and completed degree programs."

Fraudulent resumes are often modeled on existing, publicly available templates or completed examples, so there will be common overlaps between rogue applicants and these open source resumes.

Technical tools to dispose of imposters

The avenues for exploration don't end with the hiring stage. Whether it's through a gut feeling or something more measurable such as poor work performance, organizations have means available to them to weed out potential rogue workers.

We know from the various warnings issued by the US in the past, and historical criminal cases, that in order to fulfil a US job while working from China or Russia, the worker would need access to a US-based PC.

This access is usually facilitated by a PC farm, and the US citizens running them can find themselves in legal trouble, as one Tennessee man recently discovered.

If a worker is suspected to be benefiting from one of these farms, additional evidence to support those suspicions can come from monitoring the network traffic from that device.

Is the laptop connected to an IP-based Keyboard Video Mouse (KVM) device? If so, you have to ask why a genuine US citizen would need to access one of those to carry out their job duties.

Does the worker install one or more remote management apps to their device shortly after it is shipped? Again, that's certainly not normal behavior.

Speaking of shipping, does the requested delivery address match the applicant's home address on file? If not, the company-issued laptop may have been shipped and herded into a laptop farm.

"We have observed the DPRK IT workers using the location associated with the stolen identity used for employment, including the stolen driver's license, which often doesn't match the location where the laptop is ultimately shipped and stored," Mandiant said.

Fraudulent workers will often route their connections to these remote management and KVM solutions via VPNs – the Astrill VPN is a common one but there are plenty of other options.

Employers may not have to go down the traffic-monitoring route at all if they alter their onboarding process a little. Imposing a requirement to verify a laptop's serial number during onboarding is one way employers can catch a laptop farm user pretty quickly – those with physical access would be able to find that in a pinch.

Also deploying hardware-based MFA protocols that force workers to interact with their company-issued device is another mitigation measure recommended by Mandiant. ®

More about

TIP US OFF

Send us news


Other stories you might like