Dozens of Fortune 100 Companies Have Unwittingly Hired North Korean IT Workers

"Dozens of Fortune 100 organizations" have unknowingly hired North Korean IT workers using fake identities, generating revenue for the North Korean government while potentially compromising tech firms, according to Google's Mandiant unit. "In a report published Monday [...], researchers describe a common scheme orchestrated by the group it tracks as UNC5267, which has been active since 2018," reports The Record. "In most cases, the IT workers 'consist of individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia.'" From the report: The remote workers "often gain elevated access to modify code and administer network systems," Mandiant found, warning of the downstream effects of allowing malicious actors into a company's inner sanctum. [...] Using stolen identities or fictitious ones, the actors are generally hired as remote contractors. Mandiant has seen the workers hired in a variety of complex roles across several sectors. Some workers are employed at multiple companies, bringing in several salaries each month. The tactic is facilitated by someone based in the U.S. who runs a laptop farm where workers' laptops are sent. Remote technology is installed on the laptops, allowing the North Koreans to log in and conduct their work from China or Russia.

Workers typically asked for their work laptops to be sent to different addresses than those listed on their resumes, raising the suspicions of companies. Mandiant said it found evidence that the laptops at these farms are connected to a "keyboard video mouse" device or multiple remote management tools including LogMeIn, GoToMeeting, Chrome Remote Desktop, AnyDesk, TeamViewer and others. "Feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops," Mandiant reported.

In several incident response engagements, Mandiant found the workers used the same resumes that had links to fabricated software engineer profiles hosted on Netlify, a platform often used for quickly creating and deploying websites. Many of the resumes and profiles included poor English and other clues indicating the actor was not based in the U.S. One characteristic repeatedly seen was the use of U.S-based addresses accompanied by education credentials from universities outside of North America, frequently in countries such as Singapore, Japan or Hong Kong. Companies, according to Mandiant, typically don't verify credentials from universities overseas. Further reading: How Not To Hire a North Korean IT Spy

Basic steps ignored

[quonset]

Companies don't want to hire U.S. workers because they cost too much.

Companies seek out contractors.

Companies don't use humans to verify resume or CV, instead relying on software to filter candidates.

Companies can't be bothered to do a simple face-to-face interview of the contractors they hire.

Companies find out they've been hiring North Koreans.

Perhaps instead of trying to be efficient, companies could try to be thorough.

contractors are easier to fire, don't have max hou

[Joe_Dragon]

contractors are easier to fire, don't have max hours rules, have no OT pay

Re:

[phantomfive]

I really wonder what fortune 500 company is not doing face-to-face interviews, even over zoom. Seems like this should be really easy to filter out.

Re:

[penguinoid]

They didn't discriminate against North Koreans, so I guess those policies worked.

Re:

[Anonymous Coward]

Bullshit.

Re:

[dargaud]

Not sure if that would help, they've been known to use other people for the interviews, including white americans. They pay them for the service.

Re:

[vbdasc]

Perhaps instead of trying to be efficient, companies could try to be thorough.

Try explaining that to a bean counter. Or to a shareholder.

Re:

[VeryFluffyBunny]

Hurray for outsourcing & corner cutting! It's already worked so well for Boeing, right?

Re:

[VeryFluffyBunny]

Bottom line: Does it affect their share price? Does it affect this quarter's profitability? Will any executives go to jail? No.

They still saved money though, right?

Nothing will change until either they get their arses very publicly pwned in something like a massive ransomware attack or the govt. steps in & forces them to implement sensible hiring policies.

The only reason the world hasn't gone to shit

[RightwingNutjob]

is that we didn't invent stupid. We're just more aware of our own more than the other other guy's.

For every one of these, there's the Russian Army supply depot that bought cheap shit Chinese truck tires that turn to dust, the Chinese nuclear submarine that sinks under construction, and the North Koreans can't even feed themselves.

Re:

[vbdasc]

the North Koreans can't even feed themselves.

They actually can, it's just that for them food is lower priority than weapons.

Only the food for comrade Kim is higher priority than weapons.

Re:

[registrations_suck]

You're a moron.

Bullshit they know what they're doing

[rsilvergun]

You're talking about getting a competent IT person for a fraction of the price. I'm sure they're more than happy to hire them. Sure it's a gamble it might be somebody who's trying to steal some company secrets but a lot of these companies don't really have any secrets worth stealing and it's easy enough to silo workers nowadays anyway.

The simplest background checks in the world would have set off dozens of red flags here and I'm sure that they were done and that they did and that the company ignored them anyway so they could have that sweet sweet sweet cheap labor.

Companies will do anything to anyone for another hit off the crack pipe that is cheap labor

This is only the ones that have been caught

[Required Snark]

And they admitted to finding.

It's only safe to assume it's a lot worse. The ones they haven't found are a much bigger problem.

I think I almost hired one

[linuxguy]

So, I had a short-term software dev job that needed to be done and a limited budget. I advertised it on upwork. It paid $60/hour. I initially limited it to US only. Nobody applied. I wasn't surprised. The requirements were tough. People with the matching skills make $200/hr in the US. I then removed the geography limit and I had about a 100 people apply. I interviewed 8 people. A surprisingly number of them were Asian-looking people pretending to be from somewhere else. A popular thing was to pre

Re:

[NoMoreACs]

So, I had a short-term software dev job that needed to be done and a limited budget. I advertised it on upwork. It paid $60/hour. I initially limited it to US only. Nobody applied. I wasn't surprised. The requirements were tough. People with the matching skills make $200/hr in the US. I then removed the geography limit and I had about a 100 people apply. I interviewed 8 people. A surprisingly number of them were Asian-looking people pretending to be from somewhere else. A popular thing was to pretend to be from Ukraine. They all hid their backgrounds when on camera. And some of them looked like they were looking up answers to questions I was asking them. Now that I think about it, these guys could have been North Korean. I initially thought they were Chinese. I cannot tell the difference.

In the end I hired a very capable guy from India. Yes, I know there are plenty of bad talent in India. But, if you take your time, and are careful, you can find some really good people from anywhere.

Speaking as a software developer, nobody that isn't doing brain or heart surgery is worth $200/hr. That's just driving businesses into the arms of offshore competition; and witness the result.

Hello what the fuck

[iHateAppleAndGoogle]

Test of apostrophe helloâ(TM)nt

Yeah, "unknowingly."

[Eunomion]

Companies hire problematic, potentially dangerous workers to save money - which is so rare and unintentional.

supply chain attack in outsourcing is normal now

[Big Hairy Gorilla]

The supply chain attack is now ... just business as usual.

Example 1. You want to take a flight to XYZ, and for some reason the entire country, and world, are down because of one teeny tiny error in vetting an update. Example 2. You want to buy a car. OOops. Come back next week, the "system" has been hacked. Example 3. I need a new kidney. Too bad for you the entire group of hospitals in your state/country has been hacked by ransomware. You'll have to wait until... you're dead hopefully, because we don't kno