Table of Contents
Intro
Do you know your co-workers? Obviously, you know your immediate team, your office mates, and maybe even the odd remote colleague you’ll “bump into” on a weekly Zoom call (that probably could have been an email). However, in an economy defined by widespread telework opportunities, third-party contractors, and major corporations with globally distributed workforces, is it possible for companies – even those with sophisticated HR departments – to actually know their employees?
Thanks to North Korea, we know that the answer to this question is a definitive “no.”
This spring, the United States Department of Justice (DoJ) unsealed charges against U.S. and foreign nationals for facilitating a complex scheme to place North Korean IT workers at U.S. firms in order to violate U.S. sanctions and raise funds for the Kim regime’s illegal and destabilizing activity. The DoJ alleges that over 300 U.S. companies, including “a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a U.S.-hallmark media and entertainment companies,” were deceived through a complex scheme, resulting in millions of dollars of salary payments to North Koreans, in violation of U.S. law.
How North Korea deceived hundreds of U.S. companies
The process had two primary steps. First, “[the] co-conspirators committed fraud and stole the identities of American citizens to enable individuals based overseas to pose as domestic, remote IT workers.” Specifically, a Ukrainian national serving as a conduit for the North Korean IT workers “is alleged to have managed as many as approximately 871 “proxy” identities, provided proxy accounts for three freelance U.S. IT hiring platforms, and provided proxy accounts for three different U.S.-based money service transmitters.” The availability of proxy identities should come as no surprise; with the increasing regularity of data breaches, there is no shortage of compromised identity information waiting to be exploited.
A Ukrainian national serving as a conduit for the North Korean IT workers “is alleged to have managed as many as approximately 871 “proxy” identities.
Once the North Korean workers were placed with their employers under compromised U.S. identities, it was critical for the conspirators to take steps to disguise illegitimate activity as expected behavior. After all, login attempts from Pyongyang, Northeast China, or other regions associated with illicit North Korean cyber activity would likely raise red flags. To disguise activity, the conspirators took steps to obfuscate the IT workers’ true location by routing traffic through so-called “laptop farms.” According to the DoJ, these farms hosted “multiple computers all connecting to the internet through the same network, wherein individuals at the laptop farm assist remote individuals with logging on to the computers. This practice makes it appear that the remote individual is physically located at the location of the laptop farm, as the IP address for the laptop will be that of the laptop farm.”
With fraudulent identities and effective location obfuscation, these cybercriminals were able to enter the internal systems of some of America’s largest and most important companies without raising any significant red flags. Without a substantial change in how companies monitor employee activity, this type of identity exploitation is bound to repeat itself. Just as many companies have an obligation to conduct KYC (or “know-your-customer”), perhaps it’s time companies think about how to improve KYE; know-your-employees
Safeguarding your business from telework fraud
Thankfully, the U.S. Government’s Departments of Treasury, Justice, and State have issued guidance on this very issue. To counter North Korean IT workers who “deliberately obfuscate their identities, locations, and nationality” through the use of “virtual private networks (VPNs), virtual private servers (VPSs), or… third-country IP addresses to appear as though they are connecting to the internet from inconspicuous locations,” the Departments recommend “[regularly using] port checking capabilities to determine if the platform is being accessed remotely via desktop sharing software or a VPN or VPS.” Additionally, the Departments recommend a number of additional best practices, ranging from additional geolocation procedures to more advanced forms of biometric authentication.
The U.S. Government’s Departments of Treasury, Justice, and State recommend “[regularly using] port checking capabilities to determine if the platform is being accessed remotely via desktop sharing software or a VPN or VPS.”
It is clear that companies, big and small, need to do a better job of internalizing this advice. It should never be the case that a company, let alone the massive Fortune 500 corporations described in this indictment, are unable to confirm exactly who is receiving a salary and accessing sensitive systems.
Conclusion
Needless to say, this issue is far bigger than just North Korea. While North Korea’s attempts to use telework for nefarious means may be the most salacious and headline-grabbing, the incentives that drive the Kim Regime to commit fraud exist for any overseas individual seeking to participate in the U.S. labor market for nefarious means; perhaps a foreign national wants to earn a U.S. salary or intellectual property thieves want to view internal communications.
Regardless of the motive, it is clear that companies remain vulnerable to telework exploitation. As trends towards decentralized workforces accelerate in the post-pandemic economy, it’s time for companies of all sizes to get serious about their KYE obligations.
Want to protect your company from fraudulent telework schemes? Speak with one of our experts to get started.
Meet the authors
Mike Dawson, Law Enforcement Liaison
Michael Dawson runs cyber and financial crime investigations for GeoComply, a geolocation data analytics and cybersecurity platform. Mike previously spent 23 years with the US Secret Service investigating money laundering, cyber-enabled fraud, and transnational and domestic organized criminal organizations.
Jake Hulina, Government Relations Associate
Jake Hulina is a Government Relations Associate at GeoComply, working on financial services and technology policy.