From Application to Access: Detecting DPRK IT Workers Before They Become Insider Threats

Uh you'll see on the screen here um this is targeting all remote um uh job applications and um uh basically job boards that you can find. uh if you have a open remote role right now it is very likely that you've had at least one North Korean apply to said role and look to get hired at your organization and they are targeting uh these roles globally now whereas before they were more specific to the US but now they're moving into Europe and other uh nations that aren't as educated on this topic and the impact to organizations they're also shifting to ransomware and extortion attempts when caught so they're really trying to maximize that revenue um and this is how it's going to

affect your organization they're also stealing intellectual property and any research and development that your organization has done and that will be potentially useful to the North Korean regime in order to continue their um um exploitation of um the world. And then uh finally, even very recently, five individuals uh in the US aided DPRK IT workers in targeting 136 companies generating more than $2.2 million in revenue. So, it's not just the workers themselves. they're actively recruiting folks uh in the US to help them uh engage in this activity. So, one of the first steps in this process as you are looking to defend yourself against these DPRK IT workers is to partner with recruiting and it's

really about building alliances. Security is a team sport and we're going to bring them along the way because every touch point that the thread actor is going to be interfacing with is interfacing with recruiting and we're going to talk to recruiting and tell them that in addition to mitigating risk and all the fun stuff that we like to do as security engineers, we're actually going to make their lives easier. We're going to be saving time so that they don't need to review as many applications. And we're also going to save them um the unpleasant experience of having to even interview with one of these fraudulent candidates. So, it's a win-win on both fronts. No one wants to

make it uh the be the one to hire the threat actor. We're going to be establishing joint accountability and owning uh the risk without input controls um causing friction because we still want to have a good candidate experience and we also want to make sure that our uh recruiters are aware of the different types of red flags that they might experience from candidates during the interview process. So, if a candidate is refusing to go on camera, there's significantly delayed responses, meaning that they're um using some sort of translation software to maybe aid them in the responses for these interview questions. They're in a call center type environment where there's other uh interviews going on in the

background. And then finally, this is a big one. There's an absolute aversion to any on-site requests. Um, so you can um just even if you don't plan on having or flying them out to an on-site, if you just float the question, a lot of the times you'll invoke a very strong response from the ca the candidate saying that uh they are absolutely not able to comply with that. And it's important that recruiting signs off on everything that we're doing here because ultimately uh they're the ones who are being responsible for interviewing candidates and we want to make sure that there is a smooth candidate experience for uh legitimate folks. So if we take a threat threat modeling

type approach here and we look at the hiring life cycle, we first start out in the application phase. So this is the initial application when a candidate is submitting a resume to your applicant tracking system. Uh the techniques that we can find here, uh so they're creating deceptive profiles. And what I mean by deceptive is sometimes they're fake. So they own it. Um they don't own the the profile itself, but they're referencing to someone's legitimate LinkedIn. Uh sometimes that they're stolen. This is less likely because they're trying to create an entire synthetic profile. Um, but it still happens. Uh, sometimes that they're purchased. I mentioned before that there's willing participants uh who are looking to sell their identities.

And then lastly, the most common is they're completely synthetic and fabricated by the uh thread actor themselves. So, this is for social profiles, uh, the resumes themselves. They're using uh oftent times the same email address um over and over again. uh but they're purpose-building these profiles for this attack. They're using VOIPE phone numbers uh to mitigate risk on just buying a bunch of different uh either landlines or uh mobile phones. And then finally, they're using some sort of residential proxying, VPNing, and tunneling so that they can at least appear to be living in the United States or appear to be uh matching the profile that they're creating. It's very common for these profiles to be out of Texas,

for example. So, you'll see them trying to tunnel t. Next, we move on to the interview stage. So, at your company, you've now selected a handful of candidates that you want to move into a batch to move through peer interviews and technical interviews. Um, the techniques that they'll use here is different type of deep fake filters. So, they'll often try to appear more like maybe a uh a an individual that they're trying to steal their identity of or maybe they're trying to um essentially just mask their identity so that they aren't fingerprinted in future operations. This is also common with voice changers. And you'll see I have candidate swapping here. One of the techniques that they really like to

employ is for technical interviews specifically, they will have someone else who's more specialized in maybe that specific role that they're applying for to go and take the technical interview for them. So I'll be talking about different ways that we can mitigate that that risk. And then finally, tool assisted uh knowledge deception. This is a bit of a mouthful, but what it really means is when you do something like a coder pad or hacker rank, when you're in that joint IDE session for a coding interview, um there's different types of techniques that they'll use like using an LLM, they often will have a specialized software that can kind of sit on top of their screen and in real time uh give them the

best answer and where they can kind of read from a script almost. There's a few different SAS products that are offering that as a service. And then finally, once you're ready to make an offer, uh what they're going to be doing is sending over um uh fake government documents. Basically, as part of that whole profile that they created, they are modifying and either through photoshop or AI uh the their government ID, they're stealing social security numbers that they're using as part of this process and really um just fabricating and continue to build on the narrative that they are someone else. And then lastly, which is out of scope for this talk because we're talking about everything that we can do before

they get hired, but um some different techniques after they get hired, they're installing VPNs. So again, they can mask where they're hiding from. They're using some remote management uh monitoring software. So they can RDP into that machine often in laptop farms that are hosted by US ini individuals who are um being paid by these threat actors to host these farms for them. uh there have mouse jigglers to stay active during work hours and uh using potentially sanctioned bank accounts before as I mentioned to get funds back to the North Korea regime. So what does this mean for us? So for us before onboarding the DT DPRK uh IT worker problem is a kill chain problem.

If at any point before they get hired we're able to detect and root them out like we win as defenders. So that's uh what we have in our advantage here. So, we're going to be talking about a lot of different ways that we can uh make sure that that doesn't happen. So, start off, we're going to be talking about preventative controls, and this is an active response. So, we're actively going to be uh interfacing with the threat actor in some way. Now, you see there's a lot of minions on the screen. And this was the more uh interesting things that came up throughout this research, not original to my own, but there is an interesting subculture

within the DPRK um uh I guess you could say community in that they see themselves as minions. They also see uh their fearless leader Kim Jong uh as Grrew and so they kind of symbolize and like empathize with the plight of the minions and really like to embrace them as part of their culture. So you see here um I'm talking about visual continuity and we need to answer the question is the same person in each interview. Are they also the same person on their government documentation? So you'll see you'll have an individual who maybe starts out the recruiting process. They talk to the hiring manager. They talk to the recruiter. Next, they go through peer interviews and maybe this

is like a culture fit talking about what does your day-to-day look like. And then they'll swap in a different candidate um or an individual to do the technical interviews for them. And then finally, let's just say you decide to move forward with an offer. They will have yet another uh individual that's actually on the government ID, right? So, this is the official paperwork that they're submitting. This is going through the background check. It's going through I9 verification to see if they are eligible to work in said country. And so what we're going to solve uh solve this by using identity verification solutions. So if any of you have traveled abroad or maybe you've opened up a recent uh bank account,

you'll have to go through this process. And this process entails scanning a picture of your government identification. You're going to be taking a selfie and then this uh identity verification solution and there's many of them out there are going to go through a number of different checks on this information that you're providing to ensure that it is legitimate. So, it's going to check to see again if you if there's any um pixelation distortion on your ID, are you using like a virtual camera, for instance, when taking your selfie? And all of these kind of combine to an overall fraud score that we can then make a decision on whether or not we want to um move this candidate forward.

So, for us, we're also going to be using this information to make a better decision making to have better decision-m on whether or not this candidate is legitimate or fraudulent. So, we go back to our original question. Is this the same person we've seen in each interview? So, what we do is for this identity verification system, once we have our initial batch of applicants that we want to move forward with, call it five to 10 people that are going to be going through the interview process, we ask them for to take a selfie and to get their government ID. This will then establish a visual baseline for that individual. We can then um make sure

that we have an SOP for interviewers to actually check to see that the person that they're talking to in Zoom or GME is the person who uh took that selfie. Right? So that immediately is now cutting out that candidate swapping component and we establish a visual identity and identification for that um candidate that's going through the process. And then lastly after you go through all of your interviews and you want to extend an offer to the individual, we can then verify uh this new information against the baseline and have it against those government documents to make sure that throughout that entire process everything matches, the names matches and there hasn't been any deception involved. So what does

this look like? Um, does the government ID uh if the government ID doesn't match the name on the res resume, then we ban them. Uh, if they have a different person on each interview than took the selfie, we ban them. Uh, government ID found to be digitally altered, you get the idea. Virtual camera and visual filter used, we ban them. So, it's important here to also have a human in the loop once you're already at the interview stage process. Um, also sometimes name changes are valid. A lot of these identity verification vendors will take that into account, but it's up to you and how you want to run your organization and the risk threshold that

you're comfortable with to make these kinds of decisions on what is okay and what is not okay. So now we're going to move on to composite detections. So this you can think about as the top of funnel as when you open up a remote role, you're going to have a flood of applications come in and it's important for you to be able to determine whether or not those applications are legitimate. It's going to save time for your reviewers or for your um recruiters and also mitigate risk. So, first thing you're going to do is you're going to collect telemetry from everything that they touch, right? So, this is your applicant tracking system. This is um

any Zoom logs that are coming in, etc. Then, we're going to enrich that information with uh different types of threat intelligence collections. Next, we're going to detect whether or not they meet certain um thresholds for those TTPs that we were talking about before and be able to identify whether or not this candidate has a high-risisk profile. And then lastly, we want to respond. So, this is uh tagging or labeling that candidate in your applicant tracking system as well as notifying the hiring manager and or recruiter uh to ensure that they are aware that this is occurring for someone who might be getting interviewed. So, more detail on the collect phase. Uh, as I mentioned before, you're going to have

your applicant tracking system logs, um, where they submit this. From here, you're going to be able to pull in IP addresses, the resume, social media information that they provide, such as LinkedIn, email addresses, phone numbers, etc. From video conferencing, you're going to get an email potentially as well as an IP address. And then the collaborative coding environments. Um, what's interesting here is that some of them are actually rolling out their own uh, deceptive heruristics, and we'll talk a little bit about that later. So, you can plug and pull that information that they're giving you. And then electronic signature logs such as docuine uh they do some own some more browser fingerprinting that you can take

advantage of. So it's really up to you on how much you want to collect and the greater uh amount of information you have the better decision- making that you can have when you're creating this composite detection and but it also introduces a lot more complexity in the system. So it really depends on what level of effort you want to expend uh getting this up and running. So for enrichment, uh you're now going to be having these IP uh intelligence feeds that are coming in. Uh hopefully you're already using these for for in for for instance like your EDR vendors might have something available for you. Um you're going to get geoloccation information, VPN information, whether or

not that traffic is tunnled, etc. For social media profiling, um a lot of the times there will be barren accounts for these profiles. Uh because it does take a non-trivial amount trivial trivial amount of effort for them to stand up a profile. Um, you'll see that there isn't much account activity. They don't have a lot of connections. Uh, for GitHubs, you'll see forge commit dates. So, it looks like the account has been aged for a while and has a record of software development when they really don't. And then many CTR vendors are actually offering feeds specific for DPRK IT workers where they're giving you these full personas. And, um, it's kind of funny that, you know, uh, these DPRK

workers, they're they're people, too, and they happen to infect themselves with info stealer malware. So, we get a lot of like dumps of those IDs directly from the info stealer logs that they're stealing. Anyway, um reach out uh if you're part of the defense industrial um base, you'll have access to different types of government feeds such as ones provided by the NSA. And then lastly, uh there's some research shown a strong correlation of true negative candidates, right? So, this is a legitimate person. uh if you can determine whether or not they have a if their email address is tied to external services such as they've been um part of different types of breaches and we'll we'll talk about

that in the coming slides here too. Move through these a bit quick as I see we're running low on time. So for a list of like composite detections I mentioned some of the things here. Uh the technical implementations will vary depending on what your stack is for building detections. Um, but here for the IP address, you could see AstralVPN is a very popular VPN service. They're coming through residential proxies. This is like compromised routers as an example. Uh, high-risisk countries. If at any point during the interview process their VPN drops and you see that they're actually stationed in Russia, you'd want to flag that and increase your score accordingly. Um, for email addresses, if this is the first time uh

your, um, fraud vendor has seen this email address, uh, that's a good indication that it's fresh and maybe hasn't been used in other services like setting up social media accounts or just what a normal person would do. And then finally, um, you could have suspicious patterns where there's firstname.name.devgmail.com and DPRK threat feeds, etc. Moving on to phone numbers. I mentioned before that VoIP phone numbers are extremely common um and have high fraud and spam scores associated with them. Uh phone numbers are a bit different than emails and then you as you all know they can be rotated so uh they're not as persistent as emails. Uh Envoy Level 3 and uh Telnix are a few providers that particularly

used and favored by DPRK IT workers. Uh already talked about the social media GitHub and LinkedIn fingerprinting. And then you can do resume analysis. So, we found that there's a few different type of um uh tools that they like to use for generating their resumes. Uh enhanced CV is one of those. And so, you can start building your own fingerprinting on what it what they like to use. Next, moving on to anomaly detection. Uh this is where it starts to get a little bit more interesting. So, you can have for instance, if you have uh data on all candidates that have applied to your ATS system, uh you can see if there's this sufficiently different names with the

same email address. That's weird. Uh there shouldn't be multiple people using the same email address even for like some uh very offcase scenarios. I found that it's highly unlikely. And then same thing for phone numbers, right? If you have one phone number that's shared between three different candidates, that's interesting, right? I actually found that this was a good use case for LLMs to be able to kind of semantically get um what are similar names. So for instance, it can tell the difference between like Bob, Robert, and Bobby very easily. um different times there's like uh cultural uh norms that it'll be able to pick up uh to determine whether or not these names are sufficiently

similar. Again, you can tune this to your own risk tolerance. And moving on to humans, uh this is where you go back to your recruiters, right? So that your recruiter should be able to label in platform whether or not they talked to someone and found them to be fraudulent. What you can then do is pick up those labels in the platform via their API and then back propagate that data for the email address that was associated with that candidate, the phone number, all the details here and see are there any other uh shared candidates that have that same information. So this is what a composite detector looks like. Um so you'll have let's just say plus one for a known suspicious

email address, plus five if the same email is used on greater than one profile with sufficiently different names. And then you'll see I have a minus five here. So if that email was found in let's just say the Drizzly AT&T and Adobe breaches, we want to keep this as a true negative indication that maybe this email address is tied to a legitimate person. As I said before, you they don't often compromise or use compromised um email addresses because they have to create a whole profile and creating a whole profile over one compromised account is very difficult. They would need to like also compromise the LinkedIn and the GitHub. So it's a very good uh true negative indicator.

And now we're going to meet Brian. And this was an actual DPRK candidate that applied. And we'll see here that uh Bryant, this is his resume. It's very wordy, very obviously like LLM generated. Not all applications are going to look like this, but this just happens to be a particularly bad one. And uh this is his LinkedIn profile, which you'll see has little to no activity on it. So let's work through what a composite detection would look like for Bryant. Uh we take a look at his email here, which is Bryant Dang1018@outlook.com. First, we'll check to see if it's in any breaches to establish that it has a history, uh, which it is not. The the

email pattern checks out as a known DPRK email pattern. Uh, the fraud score that came back from our fraud vendor rated it 80 out of 100. It was the first time that our fraud vendor saw this uh, email address, which shows that it doesn't have a lot of history. And, uh, we checked it against our collection and there was no anomalies associated with it. So, for this, we'll give this a plus five. For the phone number, I've redacted here just in case it has rotated. Um, we did the similar fraud check and it came back 85 out of 100 from the provider. Uh, it was indeed a VIP number associated with one of the common providers that the DPRK workers

like to do uh with Envoy. And this one particularly came back with four other suspicious candidates tied to that um phone number. And then lastly the or not lastly but the IP address uh additional IP address uh enrichment that came in. It was data center uh origin which had uh tunnel traffic and the original client information came from Indonesia, Philippines and Malaysia. So we'll give that plus4. Uh already showed you the LinkedIn no profile picture, low activity, low connections. We'll just give this a plus one. So for us, this is uh we're now at plus 16 and well above above the autoreject limit. So as you can see here, now what do we respond? Uh

we're going to hit our applicant tracking system API to see if the candidate has been hired. Uh what is important here is to actually work with your incident response team or your insider threat team to determine do they have a playbook for this. Right? If an if it's found out that a DPRK IT worker has been hired already, uh you need to understand um how to uh essentially root them out and what that process looks like. Next, we can label that candidate in the uh applicant tracking system for future reference. And then hopefully there's a way in your ATS system uh to add in plain language why you decided to label this candidate. This will give any

recruiters looking at the profile an insight on maybe why they shouldn't talk to the person um depending on where in the funnel that you have already labeled them. And then finally uh you can also notify the assigned recruiter and or hiring manager just so make keep them in the loop. Um if you're doing this for top ofunnel uh detections I don't recommend it just because it's going to get very noisy. uh it is very easy to automatically submit job applications nowadays. There's platforms that are doing this for you that are full agentic solutions and so the influx of candidates is pretty insane. And finally here um have an SOP for the risk owner to make the human in the loop final

decision if they are later in the process. Right? Put this on the hiring manager or recruiter if they have talked to them already and then you've done your part as a security uh engineer to at least inform them of the risk and then store that telemetry for future detections with that back propagation I mentioned. So kind of in closing here the end suite mitigation controls look something like this. For your top of funnel you're going to have that composite detection suite that I mentioned. you're going to be able to label and notify or label the candidate and notify the recruiter and hiring manager and potentially autoreject them. This is going to save uh recruiters time

as well as mitigate risk. And then when you move over to the interview stage, we're going to then implement the identity verification. So, we're going to get the selfie. We're going to check their um uh government ID to establish that baseline for future interviewers to take a look at to make sure that who they're talking to has is the same person that's on the government ID. You can then include more telemetry in your composite detections here where you have deceptive uh technical interview detections. Uh one interesting example that I didn't mention was that um um the coding platforms are now building their own uh detections around this that are looking at like keystrokes. So it turns

out the huristics the huristics around someone who is reading off a script and typing from that script is very different to someone who's trying to write code off the top of their head. And so they're able to identify that and provide that to you as a fraud detection that you can include in this. This is going to cover broader than just DPRK workers. This is going to uh cover people who are trying to cheat your interviews uh in a in an LLM world. And then um as we move over to the offer stage, we can do our final checks. Does the background information uh the background check name and social security number match the government ID

also match that initial baseline that you took to prevent all that candidate swapping? And finally, any e- signature telemetry that you want to include. Uh coming to a close here as we're at time. Um I know this was a lot and if you want don't want to implement a lot of the detections yourself and you just want to go and buy something um I encourage you to do your own due diligence on the vendors on the left. But there's a few specialized vendors called hire tofu and endorsed that are building SAS products to solve just for this use case. Um a lot of the applicant tracking systems are also releasing releasing features within their products themselves. uh

greenhouse, ashb and lever are some of the more popular ones where you can as simply have this as an add-on. And then on the identity verification side, um it's really I found a commodity space where a lot of them are providing the same solution. So I encourage you to um just see which one kind of plugs in uh this in the smoothest way to your applicant tracking system. So we're over time here. Here's a link to the deck and um please uh scan the track 3 QR code for any feedback and enjoy the rest of your con. Thank you.