How to Avoid Hiring a North Korean Spy as a ‘Remote Employee’

Do you really know who you’re hiring? 

For the past decade, North Korean operatives have sought to infiltrate US companies, posing as remote employees to spy on operations, install malware and steal corporate and personal data. Last month, two operations by the Department of Justice and the FBI executed coordinated search warrants on 50 suspected “laptop farms” spread across more than a dozen states. About 400 laptops, 29 financial accounts, 21 fraudulent websites and remote-controlled devices were seized. 

To avoid hiring foreign saboteurs, the FBI advises US companies to adopt identity verification processes when hiring new workers, but even that provides no guarantee of security.

“We advertised for a remote employee through our normal hiring processes and, unbeknownst to us at the time, several North Korean fake employees responded,” said Roger Grimes, chief evangelist at KnowBe4, a company that unknowingly hired a North Korean hacker. 

KnowBe4 interviewed the operative via Zoom and spoke to him over the phone, said Grimes, asking him for a valid ID and work references. The ID, which was stolen, didn’t raise flags, said Grimes. The work references, fabricated by threat actors, initially appeared legitimate. 

Though KnowBe4 quickly caught the operative, not all companies are as lucky, he said. “Once (the laptop) was picked up, the person tried to install malware on the device,” Grimes said. “Our software detected it and alerted our (security operations) team immediately, which froze the employee’s accounts and the laptop.” 

KnowBe4’s situation is far from singular. Security firm HYPR nearly hired a North Korean hacker, said Bojan Simic, CEO and co-founder. The operative was exposed during the first day of onboarding after triggering the company’s identification system through discrepancies in biometrics and geolocation. 

“A blend of multi-factor authentication, continuous biometric and location verification is the future of secure workforce access, Simic said.

Every enterprise with remote employees needs to be aware of this threat and adapt hiring processes to detect hostile foreign operatives masquerading as legitimate applicants before they’re hired, Grimes said:

• Red flags include inconsistent time-zone activity and reuse of the same virtual machine across multiple accounts, said Nic Adams, co-founder and CEO of 0rcus.
• For companies in software development, code submissions should only be done from managed workstations with hardware attestation to detect virtual machine misuse, Adams added. 
• Monitoring traffic patterns for lateral movement, unusual host jumps, automating alerts for new accounts that request high-privilege access and double-checking open- or closed-source resources that lack rigorous vetting are also a must, he said.    

“Enterprises must treat remote hires like external threat feeds: integrate their profiles into threat intelligence platforms, run continuous validation of their digital presence, and rotate credentials aggressively to limit any undetected foothold,” Adams noted.