In the face of escalating cyber threats, organisations worldwide are increasingly grappling with the strategic maneuvers of North Korean IT workers. Since 2022, Mandiant has been closely monitoring these operatives, who pose as non-North Korean nationals to secure employment within global industries, covertly funnelling revenue to the North Korean regime. These efforts directly support the development of weapons of mass destruction (WMD) and ballistic missile programs, while also evading international sanctions.
The Scope of the Threat
North Korean IT workers employ various tactics to evade detection and exploit privileged access within organisations. These workers often use stolen identities, facilitated by non-North Korean individuals, to secure jobs in the U.S. tech sector and other industries. These facilitators assist by laundering money, hosting corporate laptops, and enabling access to international financial systems, all to benefit the North Korean state. The primary objectives of these operations, tracked by Mandiant as UNC5267, are to generate revenue and maintain long-term access to corporate networks, with potential uses for espionage or disruptive activities.
Operating primarily from China, Russia, Africa, and Southeast Asia, UNC5267 agents have applied for remote jobs and, in some cases, worked multiple positions simultaneously, siphoning salaries from multiple organisations. One notable facilitator compromised over 60 U.S. identities, impacting more than 300 companies and generating $6.8 million in revenue between 2020 and 2023.
Incident Response and Observations
Mandiant’s incident response engagements have revealed that many DPRK IT workers initially function within their job responsibilities, gaining elevated access to sensitive systems. For instance, in one case, a fraudulent software engineer profile hosted on Netlify included fabricated credentials and testimonials, linked to a second fraudulent resume on Google Docs under a different identity. These workers frequently use U.S.-based addresses with foreign education credentials, making it harder for employers to verify their backgrounds.
Many of these operatives access victim networks remotely, often using remote administration tools such as GoToMeeting, TeamViewer, and AnyDesk. They also utilize virtual private networks (VPNs) like Astrill VPN, obscuring their true locations, which are often in North Korea or China. A recurring technique involves “laptop farms” where multiple corporate devices are stored and accessed remotely by a single facilitator, further complicating detection.
Detection and Mitigation Strategies
To combat this growing threat, Mandiant recommends several proactive measures:
- Vetting and Verification: Implement thorough background checks that include biometric data, rigorous interview processes with mandatory video calls, and verification of both employment and personal details. Organizations should also be aware of the common use of AI-modified profile images and monitor for discrepancies in applicants’ resumes.
- Technical Monitoring: It is essential to monitor for the use of remote administration tools, VPN services, and IP-based KVM devices. Regular checks of employee locations, laptop serial numbers, and unusual remote access patterns can help identify suspicious behavior early.
- Ongoing Education and Spot Checks: Continuous training for HR teams and employees on cyber threats and DPRK IT worker tactics can help reduce the risk of infiltration. Mandatory spot checks, such as requiring remote employees to appear on camera periodically, are recommended.
- Collaboration and Information Sharing: Sharing threat intelligence across industries and engaging with cybersecurity vendors are key to staying informed on the latest DPRK activities and mitigating risks.
The Road Ahead
The DPRK’s reliance on cyber operations for revenue and state objectives makes these IT workers a persistent threat. Their growing technical sophistication and the evolving tactics they employ pose significant challenges to global organisations. While the primary motive remains financial, the potential for future espionage or sabotage cannot be ruled out. Companies must maintain robust cybersecurity measures, including incident response planning, threat hunting, and collaboration with cybersecurity partners to stay ahead of this evolving threat.
Mandiant continues to support organisations through intelligence-led services, helping them uncover ongoing or past cyber activities and prevent future breaches. With continued vigilance, collaboration, and strategic defences, businesses can mitigate the risks posed by DPRK IT workers and safeguard their networks.
Conclusion
As North Korean cyber operations become more advanced, staying informed and implementing multifaceted detection and mitigation strategies are crucial. Organisations should take a proactive approach to cybersecurity, leveraging partnerships, robust technical defences, and employee awareness to effectively address the ever-present threat of DPRK IT worker infiltration.
