How Evolving North Korean IT Worker Schemes Put Company Data at Risk

Read Time: 6 Min
A known North Korean IT worker scheme has escalated to include ransomware. Understanding how this emerging cyber threat works and what to watch for can help you mitigate the threat.

By Amber Buening, Security Outreach Director at Huntington National Bank

Key takeaways

  1. North Korean (DPRK) operatives use a variety of tactics to gain employment and remain undetected while funneling money to the DPRK, making it difficult for companies to realize they’re being tricked.
  2. Recently, this scheme has escalated to include stealing proprietary data and demanding a ransom from the company.
  3. Remaining diligent during the hiring process can help weed out potential threat actors, such as requiring video calls and noting inconsistencies in resumes and references.

What began as a method to generate revenue for the Democratic People’s Republic of Korea (DPRK) has evolved into a significant cybersecurity risk for U.S.-based companies. North Korean operatives posing as remote IT workers are now seeking employment to exfiltrate sensitive data and demand sizable ransoms.

This escalation highlights the severity of the threat, and organizations hiring remote workers might need to examine their hiring practices to ensure they don’t fall victim to it. Understanding how this threat works and what to watch for during hiring and onboarding can help your organization remain vigilant against this threat.

Evolution of the Threat

North Korean IT workers posing as eligible remote workers has been a known insider threat for years. The U.S. Departments of State and Treasury and the FBI issued their initial advisory about it in May 2022 , warning companies to be diligent in their remote hiring practices and be aware of the scheme. This guidance has been updated several times since then.

These North Korean IT workers pose as freelancers or contractors seeking employment in Western countries across a range of industries to generate revenue for the North Korean regime, particularly to evade sanctions and fund its weapons programs.

As of October 2024, there have been multiple instances of U.S.-based companies accidentally hiring a North Korean threat actor for an IT or software development role, including:

  • Fortune 100 companies
  • European government organizations
  • A well-known financial institution

Recently, the tactic has evolved to include stealing intellectual property or protected data and demanding a ransom for it. Companies inadvertently hiring a North Korean IT worker are now vulnerable to being extorted for large sums in exchange for their stolen data.

How the North Korean IT Worker Scheme Works

This scheme is a coordinated effort between North Korean operatives and facilitators based in the same location as the employer.

Here’s how they do it.

1. Evasion during the hiring process.

North Korean individuals pose as remote IT freelancers or contractors looking for employment. Sometimes this involves stealing the identities of people living in the U.S.

The threat actor will apply for remote roles and use a variety of tactics to evade detection during the hiring process, including refusing to turn on their camera and using ChatGPT to generate interview answers in real-time.

2. Remaining hidden after being hired.

Once hired, the North Korean IT worker leverages “facilitators” to help obscure their identity, location, and intent. These non-North Korean operatives assist in the following ways:

  • Receive company-issued devices and host them at an approved work location.
  • Install remote administration tools onto the devices so the threat actor can access the network from another location undetected.
  • Secure stolen U.S. identities for workers.
  • Launder money.
  • Access international financial systems.

The DOJ has already brought charges against at least one U.S. facilitator for participating in a scheme to assist overseas IT workers, which affected more than 300 U.S. companies and generated at least $6.8 million for the overseas IT workers§.

3. Upping the Ante with Ransomware

Now, ransomware has been added to the scheme. The newly hired worker will begin requesting or seizing elevated privileges to networks and data. The goal is to extract proprietary data and sensitive information that can be leveraged against the employer. In one situation identified by Secureworks Counter Threat Unit, a contractor stole company information almost immediately after being hired. The stolen data is held ransom, with threat actors demanding large sums of money to not leak the information or sell it on the dark web.

Strategies to Help Avoid Hiring a Threat Actor

Remaining diligent in hiring practices can help identify suspicious candidates. Note that these items do not necessarily indicate malicious intent. Interviewers should use their best judgement when meeting with applicants.

  • Schedule screening calls using a company-approved software and require the candidate to be on camera.
  • Look for inconsistent resumes, references, and background checks. One common resume tactic is to use a U.S.-based address with education credentials from difficult-to-verify universities abroad.
  • Ask specific questions to confirm understanding of the role and expectations, such as working hours, conflicts of interest, and location requirements.
  • Be on the lookout for AI-generated or edited profile pictures, and appearances on camera differing from photo IDs.
  • Do not allow unknown phone numbers to dial into meetings.
  • Pay attention to the provided contact information. Use of Voice over Internet Protocol (VoIP) numbers and a lack of digital footprint could be an indicator.
  • If hired, request that new remote employees verify the laptop’s serial number at the time of IT onboarding to make sure they have the physical device on hand.

What to Watch for During Hiring and Onboarding

  • Third-party coaching usually occurs via earbuds and headsets. If you suspect this is happening, request the candidate remove the headphones and use their computer audio.
  • Watch the candidate’s eye contact when responding to questions, as they may be seeking visual cues from others in the room or referencing scripts.
  • New employees updating their bank account information multiple times and using digital payment services instead of traditional banking systems could be indicative of this scheme.
  • Watch out for immediate and repeated requests to gain elevated privileges or for Active Director administrative privileges.
  • Consider restricting the use and installation of remote administration tools on corporate devices. Watch for uncommon remote admin tools or VPNs connecting to corporate infrastructure.

Remain Vigilant to Help Mitigate the Threat

This evolving threat has elevated the risk to companies hiring remote IT workers. Paying attention to the red flags of the scheme and being diligent in hiring practices can help avoid accidentally hiring an operative. Maintaining strong cybersecurity practices also builds resiliency and helps protect against malicious activities.

Huntington can support you with the insights, resources, and expertise needed to help you develop a strong cybersecurity and fraud prevention strategy. Explore our cybersecurity and fraud resources, then contact us to learn how we can help you protect your employees and your business.

Financial & industry insights delivered to your inbox.

Subscribe to Huntington Insights

Sign up to receive emails about our latest articles, case studies, and events on topics that matter most to your business.
Subscribe

Related Content

Cybersecurity & Fraud
Read Time: 4 Min
Help protect against commercial credit card fraud
Understanding the latest credit card fraud tactics and mitigation strategies can help merchants remain vigilant against fraud attempts.
November 18, 2024
Cybersecurity & Fraud
Read Time: 4 Min
Preventing BEC scams: A guide to help protect your organization
BEC is one of the most financially damaging online crimes. Learn how to identify and help protect against this type of email scam.
October 21, 2024

Office of Foreign Assets Control. 2022. “Guidance on the Democratic People’s Republic of Korea Information Technology Workers.” U.S. Department of Treasury, May 16, 2022. Accessed November 15, 2024.  

Greig, Jonathan. September 2024. “Dozens of Fortune 100 companies have unwittingly hired North Korean IT workers, according to report.” Accessed November 15, 2024.  

§ Office of Public Affairs. May 2024. “Charges and Seizures Brought in Fraud Scheme, Aimed at Denying Revenue for Workers Associated with North Korea.” U.S. Department of Justice, May 24, 2024. Accessed November 15, 2024.

Secureworks. October 2024. “State of the Threat: A Year in Review.” Accessed November 15, 2024.  

Mandiant. 2024. “Staying a Step Ahead: Mitigating the DPRK IT Worker Threat.” Google Cloud, September 23, 2024. Accessed November 15, 2024.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Lending and leasing products and services, as well as certain other banking products and services, may require credit application approval.

Third-party product, service and business names are trademarks/service marks of their respective owners.