FBI warns of North Korean hackers using VPNs to infiltrate businesses

• October 20, 2023

VPN services, stolen identification documents and fake social media accounts: these are some of the methods North Korean hackers have been using to deceive US companies into hiring them as IT remote workers, the FBI warns.

Despite not being certain when such a campaign began, investigators believe thousands of IT freelancers from North Korea have been managing to get a job in US firms over the last 5 years, at least, by concealing their identities. Workers are believed to use this money to finance Kim Jong Un’s weapons, steal company secrets and plant malware.

Following the latest evidence, both US and South Korean authorities have updated their guidelines to help employers avoid hiring North Korean agents as freelance workers.    

FBI guidance on DPRK IT workers

“North Korea has flooded the global marketplace with ill-intentioned information technology workers,” said Jay Greenberg, FBI agent in charge of the St. Louis Division—The Register reported.

As the latest effort to clamp down on North Korean hackers’ activities, Greenberg’s division managed to seize around $1.5 million and 17 web domain names used in the deceptive campaign as part of the investigation. However, workers linked to the Democratic People’s Republic of Korea (SPRK) infiltrating companies is believed to still be ongoing.

“This scheme is so prevalent that companies must be vigilant to verify whom they’re hiring,” he said.

According to authorities, malicious North Korean IT workers have been using several techniques to deceive employers while concealing their real identity. Stolen or counterfeited identity documents were used for passing online identity checks with ease. Hackers are thought to have even paid US individuals to attend online interviews and video-conferences in their place.

On a more techy level, they use virtual private networks to spoof their IP address location and boost their anonymity. Alongside this, they might also create fake social media accounts and/or fake company websites to make them appear more legitimate.

“At a minimum, the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities,” went on saying Greenberg.

As part of the new recommendations, authorities suggest to watch out for any suspicious behaviors. These include repeated requests for prepayment accompanied by threats to release proprietary source code, continuing refusal to appear on camera or to take drug tests, use of ever-changing freight addresses instead of their home addresses, and more.

The FBI also recommends employers to do a background check online to assess if the same identity is associated with multiple different profiles, while keeping records of all interactions with potential employees.

At an online security level, employers should always require their freelancers to turn off their private VPN when accessing company networks. Firm owners are also urged to put in place a strict zero-trust cybersecurity approach, which refrains from granting access to sensitive proprietary information to remote workers whenever possible.

It’s also worth reminding that, despite the tech sector being the biggest target due to higher average salaries, it’s just one of the fields among which North Korean hackers operate—John Hultquist, the head of threat intelligence at the cybersecurity firm Mandiant, told the Associated Press.

Greenberg said: “Without due diligence, companies risk losing money or being compromised by insider threats they unknowingly invited inside their systems.”

Source

VPN services, stolen identification documents and fake social media accounts: these are some of the methods North Korean hackers have been using to deceive US companies into hiring them as IT remote workers, the FBI warns. Despite not being certain when such a campaign began, investigators believe thousands of IT…