How not to hire a North Korean IT spy

Posted on by

Previously, DPRK IT workers terminated from their places of employment might seek to obtain references or attempt to get rehired, but law enforcement action and greater awareness has prompted some groups to adopt more aggressive measures, according to Google.

Detection is ‘challenging’

Using chatbots, “potential hires” are perfectly tailoring their resumes, and further leverage AI-created deepfakes to pose as real people.

Crystal Morin, former intelligence analyst for the US Air Force turned cybersecurity strategist at Sysdig, told CSOonline that North Korea is primarily targeting US government entities, defence contractors, and tech firms hiring IT workers.

“Companies in Europe and other Western nations are also at risk,” according to Morin. “North Korean IT workers are trying to get jobs either for financial reasons — to fund the state’s weapons program — or for cyberespionage.”

Morin added: “In some cases, they may try to get jobs at tech companies in order to steal their intellectual property before using it to create their own knock-off technologies.”

“These are real people with real skills in software development and not always easy to detect,” she warned.

Naushad UzZaman, co-founder and CTO of Blackbird.AI, told CSOonline that although the technology to deepfake video in real-time is “not there yet” advances in the technology are only likely to make life easier for counterfeit job applicants.

“You can imagine something like a Snapchat filter that would allow someone to present themselves as someone else,” according to UzZaman. “Even if that happens, you’d likely get glitches in the video that would offer tell-tale signs of interference.”

Countermeasures

IT managers and CISOs need to work with their colleagues in human resources to more closely vet applicants. Additional technical controls might also help.

Here’s some suggestions for recommended process improvements:

  • Conduct live video-chats with prospective remote-work applicants and ask them about their work projects
  • Look for career inconsistencies in resumes or CVs
  • Check references by calling the referee to confirm any emailed reference
  • Confirm supplied residence address
  • Review and strengthen access controls and authentication processes
  • Monitor supplied equipment for piggybacking remote access

Post-hire checks need to continue. Employers should be wary of sophisticated use of VPNs or VMs for accessing company system, according to KnowBe4. Use of VoIP numbers and lack of digital footprint for provided contact information are other red flags, the vendor added.

David Feligno, lead technical recruiter at managed services provider Huntress, told CSOonline: “We have a multiple-step process for trying to verify if a background looks too good to be true — meaning is this person stealing someone else’s profile and claiming as their own, or simply lying about their current location. We first check if the candidate has provided a LinkedIn profile that we can review against their current resume. If we find that the profile location does not match the resume — says on resume NYC, but on LinkedIn profile says Poland — we know this is a fake resume.

“If it is the same, did this person just create a LinkedIn profile recently and have no connections or followers?”

Huntress also checks that an applicants’ supplied phone number is valid, as well as running a Google search on them.

“All of the above will save you a great deal of time, and if you see anything that does not match, you know you are dealing with a fake profile, and it happens a lot,” Feligno concluded.

Brian Jack, KnowBe4’s CISO, agrees that fake remote employees and contractors are something every organization needs to worry about, adding: “CISO’s should review the organization’s hiring processes and ensure that their overall risk management practices are inclusive of hiring.”

Hiring teams should be trained to ensure they are checking resumes and references more thoroughly to be sure the person they are interviewing is real and is who they say they are, Jack advises. Best would be to meet candidates in person along with their government-issued ID or using trusted agents, such as background checking firms — especially as use of AI enters into the mix of hiring schemes such as these.

“One thing I like to do as a hiring manager is ask some questions that would be hard to prepare for and hard for an AI to answer on the fly, but easy for a person to talk about if they were who they claim to be,” Jack says.

[This article was originally published on August 28, 2024, and has been updated to include recent findings and events.]