What North Korea tells us about cyber vulnerabilities in the era of decentralized workforces

Do you know your co-workers? Obviously, you know your immediate team, your office mates, and maybe even the odd remote colleague you’ll “bump into” on a weekly Zoom call (that probably could have been an email). However, in an economy defined by widespread telework opportunities, third-party contractors, and major corporations with globally distributed workforces, is it possible for companies – even those with sophisticated HR departments – to actually know their employees?

Thanks to North Korea, we know that the answer to this question is a definitive “no.”

This spring, the United States Department of Justice (DoJ) unsealed charges against U.S. and foreign nationals for facilitating a complex scheme to place North Korean IT workers at U.S. firms in order to violate U.S. sanctions and raise funds for the Kim regime’s illegal and destabilizing activity. The DoJ alleges that over 300 U.S. companies, including “a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a U.S.-hallmark media and entertainment companies,” were deceived through a complex scheme, resulting in millions of dollars of salary payments to North Koreans, in violation of U.S. law.

The process had two primary steps. First, “[the] co-conspirators committed fraud and stole the identities of American citizens to enable individuals based overseas to pose as domestic, remote IT workers.” Specifically, a Ukrainian national serving as a conduit for the North Korean IT workers “is alleged to have managed as many as approximately 871 “proxy” identities, provided proxy accounts for three freelance U.S. IT hiring platforms, and provided proxy accounts for three different U.S.-based money service transmitters.” The availability of proxy identities should come as no surprise; with the increasing regularity of data breaches, there is no shortage of compromised identity information waiting to be exploited.

Once the North Korean workers were placed with their employers under compromised U.S. identities, it was critical for the conspirators to take steps to disguise illegitimate activity as expected behavior. After all, login attempts from Pyongyang, Northeast China, or other regions associated with illicit North Korean cyber activity would likely raise red flags. To disguise activity, the conspirators took steps to obfuscate the IT workers’ true location by routing traffic through so-called “laptop farms.” According to the DoJ, these farms hosted “multiple computers all connecting to the internet through the same network, wherein individuals at the laptop farm assist remote individuals with logging on to the computers. This practice makes it appear that the remote individual is physically located at the location of the laptop farm, as the IP address for the laptop will be that of the laptop farm.”

With fraudulent identities and effective location obfuscation, these cybercriminals were able to enter the internal systems of some of America’s largest and most important companies without raising any significant red flags. Without a substantial change in how companies monitor employee activity, this type of identity exploitation is bound to repeat itself. Just as many companies have an obligation to conduct KYC (or “know-your-customer”), perhaps it’s time companies think about how to improve KYE; know-your-employees

Thankfully, the U.S. Government’s Departments of Treasury, Justice, and State have issued guidance on this very issue. To counter North Korean IT workers who “deliberately obfuscate their identities, locations, and nationality” through the use of “virtual private networks (VPNs), virtual private servers (VPSs), or… third-country IP addresses to appear as though they are connecting to the internet from inconspicuous locations,” the Departments recommend “[regularly using] port checking capabilities to determine if the platform is being accessed remotely via desktop sharing software or a VPN or VPS.” Additionally, the Departments recommend a number of additional best practices, ranging from additional geolocation procedures to more advanced forms of biometric authentication.