From Fake Colleagues To Crypto Drains: How North Korea Exploits Remote Hiring - Ondra Rojčík

Right. For the last two years, Ju Chong Pyong was a top performer among the North Korean IT workers, generating tens of thousands of dollars for the regime through his work for US companies. He would use stolen identities, fake profiles to apply for the job. Occasionally, he would outsource the interviews to US citizens. His biggest success was infiltrating a US nonprofit organization where he earned over $158,000 in one and a half year. When his last employer terminated his contract, he decided to extort them. He threatened them to leak proprietary data unless he's paid. And that's exactly what happened. Cher is a part of broader North Korean effort to to generate to generate money for the regime. And he's also a part of the

story that I want to share with you uh today. But I won't be speaking exclusively uh exclusively about the North Korean activities, but more broadly about employment scams. My name is Andre. I work as a cyber threat intelligence analyst at uh Redhead where I'm part of the internal CTI team. Before that I worked for NUKIP the Czech National Cyber Security Agency where I co-ounded and led for five years the strategic CTI function. Before that I worked for NATO and for few other uh Czech government organizations. So today we will start by discussing how North Koreans are using interviews uh inter inter job interviews to deliver malware. We will also uh look at uh North Korean IT workers getting

employment by western companies and we will touch on interview cheating and identity spoofing and lastly we will talk about recommendations and how to protect against ourselves against these these threats. Let's start with North Koreans and their affection for the western job market. Although their thinking is formed by uh the rigid uh command economy of North Korea where everything is planned uh in advance by the central government. They definitely understand the basic dynamics of the job markets outside of their uh of their country. They understand that we want to get the best jobs possible and that it's very uh very difficult to resist attempting of attractive career opportunities. But they also abuse the other side of

the of the equation. Uh they don't offer just fake interviews, fake jobs, but also fake workforce. Uh actually the workforce is real but their identities are faked. The problem is that there are EU US regulations that prohibits employment of North Koreans. So if their government want them to work for Western companies, they need to provide them with fake identities. I have to admit that I was kind of dragged, lured into the research of the topic through the the North Korean aspect of it. But as you will see rec uh it's much more much more broader topic around recruitment recruitment scams that goes beyond North Korea. So we'll start by exploring the scams targeting our desire to seek

better jobs. North Koreans are not the only one aiming at job seekers but they are definitely very visible and very active in last couple of years. The earliest example of North North Korean operation was the operation dream job that was first reported by uh security vendor Clear Sky in 2020. The attackers usually uh create fake profile uh on LinkedIn posing as recruiters of reputable companies. In the dream job operation, it was Boing and Loheed Martin. In other campaigns, they they would uh they would pose as a recruiters for Meta or or Facebook. They would usually communicate via LinkedIn messaging or WhatsApp. Another campaign used advertisements on job search platforms where they post as a as a

prospective employer. This time the advertisements were anonymous and purposefully uh vague so that and that there was no any indication of the prospective employer. Very often these campaigns target software developers who are connected and asked to participate in a job interview. During these interviews, they are instructed to download uh and run software from sources like GitHub to participate in a coding challenge. Once the developer runs the software, very often they get infected. That is not the only way, however, how they distribute the the malware. They also use Trojanized PDF viewers with supposedly full job description like in this case or uh Trojaniz VPN clients or the malware could be delivered through uh the communication through

WhatsApp In uh in other cases, the attackers who got access to corporate endpoints collected uh collected intelligence regarding the the the company uh their activity and its financial efforts. the the there is so there is there's a double motivation because apart of that they also um focus on the individual software developers where they most of these most of these u malware is to do with the info steelers that we have about the previous previous talk. So they would colle collect uh information such as cryptocurrency wallets, credentials, authentication, cookies. Uh so this this double motivation of espionage and money theft is kind of unique for the North Koreans who are after both information and money. By the way, I I need to do a

kind of shout out to asset. They are they are doing a great job in tracking uh the North Korean activities. Recently there was um they identified indicators that proved that the North Korean campaigns that are targeting or that are abusing the fake interviews and also the the fake IT workers or North Korean IT workers that these campaigns overlap. It looks like North Koreans are real leaders in this area because they are inspiring other uh cyber criminals to do similar similarly looking campaigns. In a recent one, uh the job seekers were asked to download a fake video called software uh called Grasco, which is in fact an infos dealer. The campaign the campaign was attributed to a Russianspeaking

group. What can we do about these threats? Here is a very short list of hopefully um effective recommendations. Verify the legitimacy of the people that you communicate with. This is easier said than done, but even very basic verification can help a lot. You should be cautious about GitHub accounts with few repositories and very limited activity. And if you are working on a coding challenge, run it in isolated environment. If you believe you've been a victim of a malicious activity on a on a on a corporate device, you may feel uncomfortable to do that, but it's definitely better to report it to to your information security team. Now, North Koreans abuse also the other side of the equation, the desire of

organizations to get the best possible talent, including North Korean talent. But before we get into that, uh let's do a small step back and look at the topic from a slightly historic uh perspective. The North Korean rigid economy sucks. It's inefficient, outdated, it fails to meet the basic needs of its people. Now add to that the crippling effect of international sanctions that were imposed on North Korea uh in 2006 and you get really dire situation. North Koreans uh in order to survive and in order to to uh get some money into the economy, they need to be very creative and they definitely were in the last 20 years. They have shown a great adaptability in finding alternative ways

to to make money. One of my very first assignments at uh the Czech Ministry of Interior that I joined many years ago uh was to analyze and kind of sort out the issue of North Korean suing machine operators that were working for dozens of companies around Czech Republic. North Koreans are not worried to send their people to to uh to work abroad. Uh it's not just suing machine operators, it's also shipyard, shipyard workers, construction site workers, and many other manual um manual work. The idea of allowing IT workers to be employed by foreign companies is just a digital age extension of the very same playbook and that's what we will be talking about in the next chapter.

Similarly to the fake interviews by North Koreans, this issue became much more prominent in 2024. uh great original source of information provided two US indictments, one from December last year and one from January this year. They include many um interesting details. Some of them I would like to to share with you through a couple of little stories. These stories are based on the information in the in the indictments. But I also use a couple of assumptions to to keep narrative the narrative of these stories coherent. So I have already introduced you to Chu Chong who made $158,000 uh dollars in one and a half year and extorted his last employer when his contract was terminated. Not all of the North Koreans

were as successful as Ch. While others made tens or even hundreds of thousands of dollars, Chang Cho Mong's career was shortlived. He followed the very same uh playbook. He would use stolen US identity, fake profiles to apply for a for a job. But very soon he made a critical mistake. uh he accessed his work laptop from inside China setting off red flags. Just four days uh after hiring him, his employer terminated the contract. His entire employment with IT com uh as a IT worker uh for foreign companies lasted just a few weeks netted netting him something around $2,000 dollars. Unlike the star performers who thrived for years in the operation, it seems that Chunk's mistake

costed him his place in the network. Chongsung Ha oversaw the network of North Korean IT workers. He was tasked with generating $10,000 per worker per month. He was also quite creative manager. He was organizing socialism competitions among his workers to encourage uh to encourage higher higher income or earnings. When a US company uncovered one such scheme and terminated an account, Chong ordered uh extortion. He ordered to demand payment for proprietary data and release them when the payment was refused. The whole network managed to earn around 88 million US dollars. In between 2019 and 2024, the North Koreans registered a couple of domains, created websites that appear to belong to legitimate US uh businesses. These businesses did not

actually exist, but the North Koreans would use them in their CVs and applications that they had previously worked worked for these these companies. Many of them are now seized by the FB the FBI. In some cases, they simply stole not just the design but also a content of a whole web page of an existing business. But as you can see, for some reason, they didn't really share their stance on Ukraine. Going through the data from the indictments provided a couple of very interesting insights. One of them is that the median monthly salary for the North Koreans was around $5,000, which is not bad. At the same time, they certainly had some operational costs. One of them was a

payment of $1,000 per week to US uh US citizens uh for impersonation. My assump my understanding from what I found in the indictment is that one US person would impersonate multiple North North Koreans. Although North Koreans are fairly successful at filling open positions, they are not doing not that great. they kind of struggle to keep their their jobs for a significant amount of time. On average, they would stay with one organization for approximately six months and in some cases it was uh just a couple of couple of weeks. Based on all these data, we can make an estimate of the of the scale of approximate state of the of the whole operation. uh we can

take take into account uh the total amount that they made which is $88 million and if my calculations that you can see uh here make sense we could estimate that the operation involves something between 700 to 900 people but the range could be of course uh broader there is a couple of uncertain things I've read assessments talking about thousands of North Koreans working for US Europe European Asian Asian companies. Um, this could be realistic as well because uh the indictment very likely doesn't cover the whole the whole endeavor. Personally, I would consider this a successful operation. Uh it's not as profitable as other North Korean cyber cyber criminal activities, but still a success. From this perspective, a

surprising part of the operation were the the [Music] extortions. As I see it, it was quite a redundant part of of the operation because it attracted a lot of attention. the the impacted companies, they had to get in touch with law enforcement, started the conversation with law law enforcements. They I would assume uh they would start sharing the stories with industry peers and in some cases they would even go and share the information publicly. this putting the whole the entire operation uh at risk for just a few thousand dollar. But who am I? I I I really don't know. I'm not running $88 million um scam operation, so I'm not sure this was really worth

it. Why should we actually care whether our co-workers, working colleagues are come from North Korea? There are some financial and legal implications to that. As I already mentioned, employing North Koreans uh is a violation of UN UN sanctions and EU and US regulations. So there could be potentially uh some legal legal consequences. In many past cases it was also quite costly for the companies mainly the leak proprietary uh data. Uh the cost the cost could be in hundreds of thousands of of dollars. Uh there are also possible costly business disruptions and the cost of rehiring and uh on boarding of new employ new employment employees need to be taken into account as as well. You

don't want to waste time of your talent acquisition people HR hiring manage managers your colleagues your own time. Um hiring and on boarding uh as many of you know can be time intensive. As you all know co moved many job related activities into the virtual uh virtual space and the hiring process is not an exception. It also opened opportunities for uh not just for malicious actors but for all sorts of of scams and cheating including interview cheating. The following examples on the next three slides have nothing to do with North Korea. uh they are just the extension of the topic of virtualization of hiring hiring process and also the AI revolution uh in the last two years. Recently we

had a candidate at Redhead who performed exceptionally well in uh the virtual technical interview. But there was something fishy about his responses because they were textbook precise. Um, and the candidate did quite a long pause before providing each answer. Since there were some concerns, he was invited for a for a next round of interview in person. During the on-site interview, the kind candidate suddenly uh struggled with technical questions even on topics he had done very well uh before. This writes of course suspicion that uh he might have used an AI speech to text tool to cheat during the virtual interview. Such experience is by no means unique to to Redhead. Uh some people are even

trying to make a legitimate business on AI facilitated cheating such as the main character of of this uh of this article. Another curious case that uh we recently had was when we hired a contractor after a series of uh virtual interviews. But on the very first day when he get to the office, his colleagues and his man manager was a little bit surprised when he met a different person that he they were interviewing. uh that was reported back to the to the contracted agency which after a bit of pressure confirmed that indeed it is not the same person. We will slowly transition into into the final now what part in other words what to do about uh about these

threats. But before I I do it fully, I'll show you a case that is loosely connected to some of some of these issues that we discussed until this point. Um David Moad uh shared recently on LinkedIn uh his story. Um he shared a recording of a candidate likely using a face modification software. It was a second similar case in a short period of time. So he David was uh prepared and recorded the interview to to make sure that the candidate is not using face modification software. David asked him to wave his hand in front of uh his face which the uh candidate refused to do. Refused to follow the instructions. He was waving ne next to his his face and then uh

terminated terminated the the the call. Um, the waving could help to detect the use of face modification software. Although it's not as straightforward as you you might think. You wouldn't see the the hand behind the the face, but there would be some weird interactions between the the hand and and and the face. in the comments below the the post, a lot of folks made links to the North North Korean uh activities, but there is nothing that that would directly clearly linked it to North Koreans. At the same time, it's it's a plausible hypothesis that could explain the motivation for um identity identity spoofing.

Regarding the now what or recommendations of what to do about all these threats, there is definitely not any universal good advice that would cover all of them. But if we start with the North Korean IP workers, the recommendations have usually to do with the following. At least the final stage stage or one stage of the interviews should ideally be on site. This recommendation cover a lot of ground. If this is not possible or for the online part of the of the interview require all candidates to turn on their their camera and record the interview. If during a video call you suspect use of face modification software similar to what David did in the case that I showed

you before, you can ask the candidate to wave their hand in front of their face. uh if there are some weird uh interactions it's likely that there is a there is a face modification software to identify the the or what I mean by the weird interactions to identify the face modification software look for inconsistent eye blinking poor lips synchronization um they pointed out also irregular shadowing or in some cases uh artificial noise because some folks might even use voice or sound modification require government issue IDs to be verified by a third party. This sounds super bureaucratic and super annoying, but it's a very powerful thing to do. checked LinkedIn, GitHub, and work history for incon

inconsistencies. This sounds super obvious, but you would be surprised how little attention there is in the hiring practice to these issues. Absence of digital footprint uh could also be considered a a red flag. Here is a nice and simple example of what to look for when performing the due diligence part or and background checks. One email is connected to more more people or names or personas if you like. They also used uh manipulated stock photos at the application at the applicants professional profiles. Um this can be easily reverse reverse s reverse searched. Uh although the known before case which is the bottom right corner uh was very high profile. Um I'm I'm quite sure that North Koreans will not

be using stock uh stock pictures anymore but there are few other tools these days that can help you much better. Prevention is one thing but you might unknowingly already be employing North Koreans even now in your organization. This is very deep topic. I don't dare to go into too many too many details here but some of the areas of the detection and thread thread hunting have to do with use of uh multiple IPs within a short span of time and unauor use of unauthorized remote access tools. But both of these are very much organizational specific and each organization has very different patterns around these these issues. You can also um try to detect for laptop farms in in

US and potentially Europe that are used by North Koreans for spoofing their physical presence in the in the region. And there are of course of course also uh publicly shared atomic indicators. If you keep your data for some for some reasonable time, they are still great tool for retrospective hunt. If you want more details um on the detection and thread hunting part, please check the the the links or or the reports by Mandant and DEX. Concerning the the interview cheating, the list could be quite long again, but one measure beats beats all the others on-site interviews. But that is not always practical. So do the on-site interviews especially in case if you suspect something. And if if on-site interview

is not possible at all, try to identify overly polished uh responses. Try to probe with follow-up questions. Um again, require all candidates to turn on their camera and observe the candidates eye movement, overall body language or unusual delay before providing the answer. things that I mentioned before. Just be aware that these are the type of things that are addressed by for example by the dude uh that decided to make a business on AI facilitated interview cheating that I've shown you couple of slides slides ago. If sus suspicions arise, uh ask variations of the same same technical qu questions across multiple multiple rounds of interview or ask uh candidates to explain their reasoning rather than uh

simply expect correct answer. The list as I said could go on. The I would say that the important thing here is to create awareness and create security culture around these issues so that your colleagues um understand that if they see something risky it's a good idea to consult resources or reach out to their uh colleagues responsible for the security of the of the information of the of the organization. And that concludes my presentation. Thank you very much for your attention.

[Applause] If there are any any questions, I'm happy to take them now or once I'm off the stage. Anyone? Okay, sir. Do we get the mic or

Sorry, there's so much noise that uh there. Okay, sorry. There is a mic somewhere here. Okay, thank you. Just wanted to ask you if you have any experience with hiring people who are local to the people who who you're hiring and they can do on-site interview experience with hiring people. Sorry. So if you're if you are not able to do on-site interview uh do you have any experience to do the interview where the candidate is with somebody that you trust? Aha. So like outsource the interview to to somebody. Correct. Who can do it on site but in different different location? We like at Redhead we we don't do it uh do it do it this way. Yeah.

It's usually either virtual interview or or or on site. Yeah. Good. No other alternative. Yeah. All right, perfect. Thank you very much. Enjoy your lunch.