Mandiant offers tips on how to catch North Korean IT workers • The Register

With more and more North Korean agents looking for (mainly) American IT positions, organizations now have a handy tool to help spot potential agents.

To understand the common mistakes, threat intel and incident response specialists at Mandiant interviewed “dozens” of organizations that have fallen victim to the growing trend of North Korean moles securing IT jobs in the U.S. The North Korean employees, who typically work in China and Russia at the behest of their governments, send their lucrative salaries to support Kim Jong Un’s military and also seek long-term access to employers’ networks and systems for future financial exploitation.

These interviews produced a long list of tips that employers can consider when hiring for their next role. However, many of the tips can be boiled down to proper due diligence.

For example, an analysis of the resume of a known North Korean agent — one of many Mandiant examined — found that simply scouring the web for common data points led to the discovery of job seeker profiles under a different name.

Scour the web for email addresses provided by applicants is a good way to find these types of linked accounts. If they lead to profiles with different names than the ones on the application, it could mean the applicant is applying for multiple jobs at different companies.

It is common knowledge that some remote IT workers, North Korean or not, try their luck at working for multiple companies, in order to make some extra money before their behavior is eventually exposed.

Yet Pyongyang agents are known to exploit the American labor market, and signs of multiple identities should be seen as a major red flag for employers.

Other recommended actions for employers include requiring enhanced background checks. It sounds simple enough, but requiring things like biometric ID verification and notarized ID will go a long way in identifying fraudulent applicants, or even deterring them in the first place.

Hiring managers conducting interviews should also require cameras to be turned on during video calls so that the video feed can be compared to the photo the applicant provided. Again, it sounds basic, but the many warnings about the threat of fraudulent North Korean workers show how widespread these seemingly basic measures are not being taken.

Human resources departments should also be trained to recognize common traits among North Korean fraudulent applicants, and to recognize whether AI has been used to alter the images provided.

Mandiant noted that many of the resumes reviewed were filled out with manipulated profile photos likely stolen from public LinkedIn profiles.

Knowing the common indicators of a fraudulent resume can also help identify which candidates deserve closer inspection. For example, Mandiant said, North Korean agents often lay their cards on the table by listing a U.S. address as their home but reporting they are attending a foreign university in countries like Japan, Hong Kong and Singapore. Educational institutions in these regions often don’t accept foreign students, so it should raise concerns about the legitimacy of the application.

“This discrepancy may prevent potential North American employers from verifying or contacting these foreign institutions regarding the applicant,” Mandiant blogged. “Mandiant also noted that the universities listed on the background check may not match the educational background of the candidate as listed on their resume, including time of enrollment and degree programs completed.”

Fraudulent resumes are often based on existing, publicly available templates or filled-in examples. There will therefore often be overlaps between fraudulent applicants and these open source resumes.

Technical tools to eliminate cheaters

The opportunities for exploration don’t end at the hiring stage. Whether it’s through gut feeling or something more measurable like poor job performance, organizations have tools at their disposal to identify potential rogue employees.

We know from the various warnings the US has issued in the past and from historical criminal cases that employees who want to perform a job in the US while working from China or Russia need access to a computer in the US.

This access is usually made possible by a PC farm, and the American citizens who operate them can get into trouble with the law, as one Tennessee man recently discovered.

If there is any suspicion that an employee is profiting from one of these farms, additional evidence to support those suspicions can be provided by monitoring the network traffic from that device.

Is the laptop connected to an IP-based Keyboard Video Mouse (KVM) device? If so, you have to ask yourself why an actual US citizen would need access to one of those devices to do their job.

Does the employee install one or more remote management apps on their device shortly after it ships? Again, this is definitely not normal behavior.

Speaking of shipping, does the requested shipping address match the applicant’s registered home address? If not, the company-issued laptop may have been shipped and taken to a laptop farm.

“We have seen North Korean IT workers use the location associated with the stolen identity they used for work, including the stolen driver’s license. Often, that location does not match the location where the laptop is ultimately shipped and stored,” Mandiant said.

Rogue employees often route their connections to these remote management and KVM solutions via VPNs. The Astrill VPN is a popular VPN, but there are many other options.

Employers may not have to go down the traffic monitoring route at all if they tweak their onboarding process a bit. Imposing a requirement to verify a laptop’s serial number during onboarding is one way employers can catch a laptop farm user fairly quickly—those with physical access could find it in no time.

Implementing hardware-based MFA protocols that force employees to communicate with their company-issued device is also another mitigation measure recommended by Mandiant. ®