In July last year, security firm KnowBe4’s systems detected unusual activity on a recently-hired software engineer’s account. As the firm’s security team deepened their investigation, they began to suspect the threat was coming from a malicious insider, linked to a nation state.
When the attacker went dark and began to manipulate session history files and execute unauthorized software, KnowBe4’s security team acted quickly, containing the device.
The attacker failed to gain access to any valuable systems and no data was lost, but the incident is a wakeup call to all firms. Despite a rigorous hiring process and numerous other controls, KnowBe4 had unwittingly hired a fake worker from North Korea – part of a growing threat to businesses globally.
In the US such cases are already racking up, with the attorney’s office of Columbia recently stating that more than 300 companies had been affected by scams of this kind, at a cost of $17m.
North Korea’s fake IT worker scheme has also shifted its focus to European companies, confirming the global nature of the threat, according to the Google Threat Intelligence Group.
So, what are the signs a fake IT worker is trying to infiltrate your business, and how can you prevent becoming a victim of this growing threat?
Fake worker schemes
In many cases one of the first clues is an employee requesting their workstation is sent to an address that is “basically an IT mule laptop farm”, as explained in a blog by Stu Sjouwerman, founder of KnowBe4.
The fake worker uses a virtual private network (VPN) to hide their location, working the night shift so they seem to be working in US daytime.
Before stealing sensitive data or transferring malware onto company systems, the scammer acts like a model worker, completing tasks and sending their salary directly to North Korea.
David Sancho, senior threat researcher at Trend Micro, tells ITPro that some scams see fraudsters pose as a company hiring for new employees, while in others they pretend to be applying for an open position at a firm. “In this case, they fake a candidate’s profile and apply for jobs,” he explains. “They often use deepfake technology to appear like the real person.”
Usually, the candidates do exist and have a public profile on LinkedIn. “The fraudster appears to be one of those perfect-match candidates. They mask their faces in live interviews and use AI chatbots to do well on the technical questions,” Sancho explains.
Once they have been hired, they keep a low profile while receiving their salary, doing the bare minimum to avoid getting laid off. However, when they see their job is in danger due to low performance, they often try to monetize their access to the company, says Sancho. This can see attackers deploy a ransomware or steal internal data to sell it.
Unsurprisingly, fake IT workers are particularly interested in government-affiliated organizations and contracts that support military, cyber, and nuclear efforts. “The information they gather from these positions and access is shared with their government to support military and nuclear efforts, and the salaries they earn support funding,” says Crystal Morin, cybersecurity strategist at Sysdig.
Fake worker schemes in action
There are numerous examples of fake worker schemes in action. A North Korean IT worker was recently able to infiltrate a US election campaign website, per Fortune, while the risk intelligence firm Nisos has tracked a network of fake workers with suspected links to North Korea using GitHub to create personas.
Cybersecurity company ReliaQuest recently investigated over 25 North Korean insider threats across its customer base. “What’s particularly concerning is that these insiders rarely act alone,” says Brandon Tirado, director of threat research at ReliaQuest.
In one case, a single company was infiltrated by up to ten North Korean insiders within six months. “This is no coincidence – it’s a coordinated campaign designed to maximize access and impact,” says Tirado.
After investigating a client laptop recovered by a successful FBI raid, another security company Sygnia uncovered how North Korean hackers leveraged a series of scripts, a client-issued laptop, and remote access through Zoom to infiltrate an organization.
“By preconfiguring the Zoom client and using input automation tools, he transformed the video conferencing platform into a functional remote access trojan (RAT), granting him live control of the machine through a trusted, whitelisted application,” says Ryan Goldberg, incident response manager, Sygnia.
Notably, this occurred despite the presence of endpoint detection and response (EDR) and a well-resourced security operations center (SOC), which highlights “how subtle, script-based abuse of trusted protocols can bypass even mature defenses”, he adds.
Mitigating the risk
As firms increasingly hire employees remotely and offload vetting to staffing platforms, the risk of being targeted by fake IT worker attacks is “significant and growing,” says Goldberg. “The threat isn’t theoretical: These attackers are paid and granted internal access like normal employees,” he warns.
With this in mind, it’s a good idea to know the signs fake IT workers are trying to infiltrate your business and take steps to mitigate the risk.
One firm that is well-placed to offer advice around this is KnowBe4. At the time of the attack, the company was lucky: its new employees are put in a highly restricted area when they start and have no access to production systems.
In addition to steps such as this, Javvad Malik, lead security awareness advocate at KnowBe4, says organizations should “increase rigor” in their hiring process.
“It’s not enough to just check a CV and have a quick chat,” he warns.
Instead, firms should implement stringent identity verification processes, including document checks and in-person or video interviews, Malik advises.
Sancho recommends that companies make sure every new employee shows up “physically in an office” to sign the contract, or to meet people before being formally hired, without any exceptions. “This is not an unusual policy in the EU and UK, but it’s the best way to make sure no fake workers are ever hired.”
During interviews, watch and listen for inconsistencies in case they are using deepfake audio and video, says Morin. “Conduct thorough background checks, perform biometric verification, and collaborate across HR, security and insider threat teams.”
When onboarding new employees, Hannah Baumgaertner, head of research at Silobreaker suggests verifying that any device shipped to the new hire is being used from the location specified by the employee.
At the same time, leaders must be wary of red flags such as sudden address changes or requests for unconventional payment methods, Malik says.
In addition, post-employment monitoring is crucial, Malik says. “Ensure the person doing the work is the same one you hired.”
Source link
-
-
-
-
-
-
-
-
