³ÉÈËXÕ¾

In recent days, the FBI warned American businesses that North Korean IT workers are escalating their malicious attacks on U.S. companies to steal sensitive data, intellectual property, and money (including cryptocurrency) to help fund the regime’s illegal weapons of mass destruction and ballistic missile programs.

According to the FBI, North Korean operatives, using stolen or fake identities to obtain IT jobs at U.S. companies, have exfiltrated proprietary data, conducted revenue-generating cybercrime, and in some cases, held stolen code hostage for ransom.

However, according to former Microsoft cybersecurity expert Cristin Flynn Goodwin, this type of infiltration by North Korean spies to conduct illegal activity, which has sparked recent headlines and concerns, is actually a decades-old issue that American companies have faced, whether they realize it or not.

“I spent 17 years at Microsoft, running a geopolitical intelligence team where we tracked North Korean behavior, and the North Koreans have been engaging in this sort of fraud against American companies and American individuals for over 10 years,” Goodwin said. “Hundreds of companies in the U.S. have fallen victim to this over the past few years.”

How North Korea intercepts American companies

According to the FBI, for years, companies across the U.S. have, unknowingly, hired thousands of software engineers who claimed to be American developers, but were actually North Korean spies using stolen or fake identities.

Through legitimate employment, they’ve been illegally funneling their salaries and stolen cryptocurrency to Kim Jong Un’s regime to fund weapons of mass destruction—a weapons program prohibited under United Nations Security Council Resolutions passed after North Korea conducted nuclear tests in 2006, 2009, 2013, 2016, and 2017.

“It’s important to keep in mind that the sanctions that the world has levied against North Korea, because of its behavior, mean that even some government agencies have to go out and raise their own money to fund their agencies and to help fund the government,” Goodwin said. “That means conducting cybercrime and these types of attacks against American businesses, showing up as fake IT workers applying for legitimate jobs in these companies is simply another part of the regime’s attack tactics to raise money and steal IP to benefit the North Korean government.”

In several cases, operatives also harvested sensitive credentials and session cookies to access company systems from non-corporate devices, the FBI said. Those tactics and others have enabled North Korean workers to move laterally through networks, steal additional data, and escalate their access—posing ongoing threats to affected companies. However, the espionage usually started with a simple job interview.

“North Koreans will use teams, so they’ll have an individual on the phone, and then teams of people on instant messenger, helping the applicant answer technical questions,” Goodwin said.

A high-profile cybersecurity company, SentinelOne, confirmed just this week that it has been approached by North Korean IT operatives posing as legitimate job applicants. The company said it uncovered about 360 fake personas and more than 1,000 fraudulent applications for various roles, including positions on its intelligence engineering team. However, the company said it did not hire any of the North Korean applicants, but admitted it interacted with some during the early stages of the recruitment process to collect intelligence on the tactics being used.

The FBI has also tracked cases of North Korean operatives planting malware in corporate systems to steal usernames, passwords, digital currencies, and other assets. In some cases, North Korean actors have publicly released stolen source code when companies refused to meet ransom demands.

“They may be trying to gain access to the intellectual property of your company…or if they are trying to get into your computer, it might be to use the resources of your machine to further cybercrime,” Goodwin said. “So they are persistent. They will wait. And if they have a way to get into a company and stay there for as long as possible, then that’s also part of their playbook.”

Goodwin, now a managing partner at Advance Cyber Law and a trusted adviser to former White House cyber experts, said companies should tighten hiring protocols and thoroughly verify candidate backgrounds. If suspicious, she shared one unusual tactic, something the top tech companies in the world use, to help confirm suspicions.

“If all else fails, one of the tricks that was talked about at the recent RSA Security Conference, and that the industry often discusses, is that ask if the individual is willing to insult the leader of North Korea, and if they are not willing to insult Kim Jong Un or they terminate the interview. Chances are you’ve got a North Korean government spy on the phone and they want to get away from that as fast as possible,” she said.

FBI tips to protect your business

The FBI’s recommendations for data monitoring include:

• Practicing the Principle of Least Privilege on your networks, which includes disabling local administrator accounts and limiting privileges for installing remote desktop applications.
• Monitoring and investigating unusual network traffic, to include remote connections to devices or the installation/presence of prohibited remote desktop protocols or software.
• North Korean IT workers often have multiple logins into one account in a short period of time from various IP addresses, often associated with different countries.
• Monitoring network logs and browser session activity to identify data exfiltration through easily accessible means such as shared drives, cloud accounts, and private code repositories.
• Monitoring endpoints for the use of software that allows for multiple audio/video calls to take place concurrently.

FBI’s recommendations for strengthening remote-hiring processes include:

• Implementing identity-verification processes during interviewing, onboarding, and throughout the employment of any remote worker. Cross-check HR systems for other applicants with the same resume content and/or contact information. North Korean IT workers have been observed using artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities.
• Educating HR staff, hiring managers, and development teams regarding the North Korean IT worker threat, specifically focusing on changes in address or payment platforms during the onboarding process.
• Reviewing each applicant’s communication accounts, as North Korean IT workers have reused phone numbers (particularly voice-over-IP numbers) and email addresses, on multiple resumes purportedly belonging to different applicants.
• Verifying that third-party staffing firms conduct robust hiring practices and routinely audit those practices.
• Using “soft” interview questions to ask applicants for specific details about their location or educational background. North Korean IT workers often claim to have attended non-US educational institutions.
• Check applicant resumes for typos and unusual nomenclature.
• Complete as much of the hiring and onboarding process as possible in person.

Follow Luke Duecy on  Read more of his stories here. Submit news tips here