Remote hiring warning for South Africa
Businesses hiring workers remotely should be wary of North Koreans posing as other nationalities in order to get hired.
Aside from the potential security threat of having a state-sponsored actor active in their local network, there are international sanctions concerns.
This is according to KnowBe4’s Anna Collard, who said the “remote IT worker scam” applies to South African businesses just as much as one based in the United States.
Collard is a security trainer and evangelist whose career began at Internet Solutions in 2001 as a security product developer.
In 2003, she moved to Internet Solutions’ parent company, Dimension Data, where she worked in security business development and later as a security consultant between Munich and Cape Town.
She worked for Dimension Data for 12 years and also did a stint at FireID and later at Old Mutual as a security architecture lead.
In 2012, she launched her own security awareness business called Popcorn Training, which KnowBe4 acquired in 2020.
At a recent security event organised by Orange Cyberdefense, Collard related the story of how KnowBe4 was almost infiltrated through a remote IT worker scam and how good technical defences helped them detect and ward off the attack.
Collard explained that North Korea employs this type of attack for various purposes.
While their goal could be to infiltrate a company and engage in corporate espionage, it could also be to exploit their privileged access at a later date or to earn money illegally and funnel it back to the state.
International sanctions on North Korea restrict its ability to generate revenue and severely limit its economy.
As a result, it engages in criminal activities, with cybercrime being among the most profitable, to raise money for the state.
This is used to fund its nuclear weapons programme, among other things, which is estimated to cost millions of dollars annually.
North Korea invests in training individuals in STEM fields from a young age to equip them with hacking skills.
Collard said that any child who exhibits any technical aptitude by age 11 is quickly selected for specialised training programmes.
Instead of continuing in the standard education system, these students are funnelled into an elite schooling system specifically designed to develop their skills for hacking on behalf of the state.
These trained hackers operate in outfits such as the Lazarus Group, known for high-profile cybercrimes like the attempted theft of a billion dollars from the Bank of India.
Others, like the individual who applied for a job at KnowBe4, try to get hired by technology companies.
Referring to the man as “Kyle”, Collard explained that the fraudster presented himself as a US citizen of Asian descent and used the stolen identity of a real individual.
This included using the real person’s social security number, allowing him to pass background checks.
Kyle had applied for a remote position as an AI engineer and successfully passed through four interviews with both human resources and technical teams.
Collard said that with the benefit of hindsight, they found that the only aspect of Kyle’s presented identity that was definitively fake was the photo.
She explained that North Korean agents involved in this type of scam often select images of individuals who appear trustworthy from stock photo libraries. They then base their fabricated persona on this chosen image.
In Kyle’s case, he used AI to enhance the image and make the model look more East Asian, which also made it more difficult to detect that it was a stock photo.
After getting hired, Kyle asked his new employer to ship his work laptop to an address in the United States. However, this turned out to be part of a laptop mule farm.
Kyle or his handlers attempted to connect remotely to the company laptop from China by installing VPN software and malware on it.
KnowBe4’s pre-installed security software detected this, as well as attempts to delete log files, which raised suspicion from the company’s security team.
When the security team reached out to the employee, they received a strange excuse, and he refused to appear on camera. This prompted the security team to suspend the employee’s account.
KnowBe4 then contacted the FBI and elected to go public with the story to warn companies about this new threat.
Collard’s colleague at KnowBe4, Roger Grimes, wrote a paper about the incident with a detailed analysis about the red flags companies should look out for when hiring remotely.
Grimes highlighted that most of the money earned by the North Korean fake employees is sent back to the North Korean government.
The local manager or handler takes a small portion of the proceeds for themselves and operations before remitting the rest back to North Korea. The employee gets very little of the earned revenue.
“It is believed that their close family members are always kept back in North Korea to be used as personal leverage to force the employee to toil long hours for very little wages,” Grimes reported.
“Several sources have concluded that North Korean fake employees are considered to be human-trafficked.”