North Korean IT workers steal source code to extort employers

The FBI warned today that North Korean IT workers are abusing their access to steal source code and extort U.S. companies that have been tricked into hiring them.

The security service alerted public and private sector organizations in the United States and worldwide that North Korea’s IT army will facilitate cyber-criminal activities and demand ransoms not to leak online exfiltrated sensitive data stolen from their employers’ networks.

“North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. While not uncommon among software developers, this activity represents a large-scale risk of theft of company code,” the FBI said.

“North Korean IT workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities.”

To mitigate these risks, the FBI advised companies to apply the principle of least privilege by disabling local administrator accounts and limiting permissions for remote desktop applications. Organizations should also monitor for unusual network traffic, especially remote connections since North Korean IT personnel often log into the same account from various IP addresses over a short period of time.

It also recommended reviewing network logs and browser sessions for potential data exfiltration through shared drives, cloud accounts, and private code repositories.

To strengthen their remote hiring process, companies should verify identities during interviews and onboarding and cross-check HR systems for applicants with similar resume content or contact details.

Given that North Korean IT workers are known to use AI and face-swapping tech to conceal their identities during interviews, HR staff and hiring managers must also be aware of the associated risks. Additionally, monitoring changes in payment platforms and contact information during onboarding is crucial, as these individuals will often reuse email addresses and phone numbers across resumes.

Other measures that should help detect North Korean IT workers trying to bypass hiring checks include:

• Verifying that third-party staffing firms conduct robust hiring practices and routinely audit those practices,
• Using “soft” interview questions to ask applicants for specific details about their location or educational background (North Korean IT workers often claim to have attended non-US educational institutions),
• Checking applicant resumes for typos and unusual nomenclature,
• Completing as much of the hiring and onboarding process as possible in person.

Today’s public service announcement follows repeated warnings issued by the FBI over the years regarding North Korea’s large army of IT workers, which hide their true identities to get hired at hundreds of companies in the United States and worldwide.

Also referring to themselves as “IT warriors,” they impersonate U.S.-based IT staff by connecting to enterprise networks via U.S.-based laptop farms. After being discovered and fired, some of these North Korean IT workers have used insider knowledge to extort their former employers, threatening to leak sensitive information they stole from company systems.

The U.S. State Department now offers millions in exchange for information that could help disrupt the activities of multiple North Korean front companies. These companies have generated revenue for the country’s regime through illegal remote IT work schemes.

In recent years, the South Korean and Japanese government agencies have also issued alerts regarding North Koreans tricking private companies and securing employment as remote IT workers.

In a joint statement issued last week, the United States, South Korea, and Japan revealed that North Korean state-sponsored hacking groups have stolen over $659 million worth of cryptocurrency in multiple crypto-heists during 2024.

Today, the Justice Department also indicted two North Korean nationals and three facilitators for their involvement in a multi-year fraudulent remote IT work scheme that allowed them and suspects (who are yet to be charged) to get hired by at least sixty-four U.S. companies between April 2018 and August 2024.