The FBI has issued fresh guidance aimed at helping organizations combat the threats posed by fake North Korean IT workers after a spate of incidents.
In its latest efforts to stamp out the scam whereby North Korean hackers pose as legitimate remote IT workers, the FBI said they are continuing to target US-based businesses.
"In recent months, in addition to data extortion, FBI has observed North Korean IT workers leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber criminal activities, and conduct revenue-generating activity on behalf of the regime,” the law enforcement agency said in a statement.
North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage for ransom - and in some cases have released that proprietary code.
They have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts, putting company code at risk of theft.
The FBI also warned the fake workers could try to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices, and compromise their victims in other ways.
In terms of data monitoring, organizations should practice the principle of least privilege, disabling local administrator accounts and limiting privileges for installing remote desktop applications.
They should monitor and investigate unusual network traffic, including remote connections to devices, or the presence of unauthorized remote desktop protocols or software.
"North Korean IT workers often have multiple logins into one account in a short period of time from various IP addresses, often associated with different countries," the FBI warned.
Companies should monitor network logs and browser session activity to identify data exfiltration through easily accessible means such as shared drives, cloud accounts, and private code repositories.
And they should monitor endpoints for the use of software that allows for multiple audio or video calls to take place at the same time.
Enterprises urged to improve hiring in bid to tackle the issue
It's best, of course, if fake workers don't get hired in the first place, and the FBI has advice here too.
The Bureau advised organizations to implement identity-verification processes during interviewing, onboarding, and throughout the employment of any remote worker. They should look out for other applicants with the same resume content and/or contact information.
Similarly, employers should remain vigilant for the use of AI and face-swapping technology during video job interviews to hide their true identities. HR staff, hiring managers, and development teams should be given training to spot the telltale signs of deepfakes, the advisory noted.
Third-party staffing firms are also advised to implement robust hiring practices and routinely auditing those practices.
"Use 'soft' interview questions to ask applicants for specific details about their location or education background. North Korean IT workers often claim to have attended non-US educational institutions,” the advisory said.
Fake IT workers are becoming a real problem
The FBI has been battling the problem of fake IT workers for some time. It first warned of the issue in 2022, with further advisories issued in 2023 and in May last year.
In August 2024, cybersecurity training firm KnowBe4 revealed it had fallen prey to this type of scam. The company released a detailed report examining the incident, including how the fake worker attempted to upload malware.
The firm acted swiftly, however, and no sensitive information was exposed as a result of the incident.
Earlier this month, the Justice Department indicted a batch of suspects accused of being involved in a campaign of scams that impacted 64 companies. Payments from ten of those companies generated at least $866,255 in revenue, most of which was then laundered through a Chinese bank account.
“The Department of Justice remains committed to disrupting North Korea’s cyber-enabled sanctions-evading schemes, which seek to trick US companies into funding the North Korean regime’s priorities, including its weapons programs," said supervisory official Devin DeBacker of the Justice Department's National Security Division.
"Our commitment includes the vigorous pursuit of both the North Korean actors and those providing them with material support. It also includes standing side-by-side with U.S. companies to not only disrupt ongoing victimization, but also to help them independently detect and prevent such schemes in the future."
Hackers are using a new AI chatbot to wage cyber attacks: GhostGPT lets users write malicious code, create malware, and curate phishing emails – and it costs just $50 to use
‘Wholly inaccurate and very significantly overstated’: TalkTalk confirms data breach probe – but says it's not as bad as claimed
