Multiple Fortune 100 companies have unknowingly hired North Korean IT workers who used fake identities to get remote IT jobs, according to a new report from Google’s Mandiant unit published on September 23rd, 2024. This scheme has been active since 2018 and is orchestrated by a group tracked as UNC5267. The North Korean government sends these individuals, primarily to China and Russia, to earn salaries and gain access to US tech firms for potential cyberattacks.
Mandiant’s report reveals that these remote workers often attain “elevated access to modify code and administer network systems,” raising concerns about potential backdoors being inserted into systems or software. Charles Carmakal, CTO of Mandiant, stated that he has spoken to “dozens of Fortune 100 organizations that have accidentally hired North Korean IT workers.”
The North Korean workers typically obtain employment as remote contractors using stolen or fake identities. They use US-based laptop farms to conceal their true locations in China or Russia, allowing them to log in remotely and carry out their work. One American citizen was found to have used 60 stolen identities to help North Koreans gain employment in over 300 US companies, earning at least $6.8 million between October 2020 and October 2023.
Workers exhibited suspicious behavior
The workers exhibited suspicious behavior such as refusing video calls and producing subpar work. Their resumes, often with fabricated profiles on platforms like Netlify, contained poor English and listed US addresses alongside credentials from non-North American universities.
North Korean hackers are trying to steal your information with fake job advertisements. Let's tell you what to look out for.
Mandiant advises companies to implement more rigorous background checks, mandate on-camera interviews, demand notarized proof of identity, and ensure the worker’s location aligns with their stated address. They also recommend monitoring and potentially prohibiting remote administration tools, VPNs, and “mouse jiggling” software.
The potential for large-scale attacks is a serious concern. Mandiant principal analyst Michael Barnhart warned, “These IT workers could easily receive instructions tomorrow to deploy ransomware and simultaneously disable major organizations all over the U.S. and Europe very quickly if they wanted to.” The workers, some earning up to $300,000 annually, generate substantial revenue for the North Korean regime and its weapons programs. US law enforcement agencies have been actively working to dismantle these operations since March 2024, including seizing $1.5 million and shutting down 17 website domains used by the North Korean government.
