What North Korea’s infiltration into American IT says about hiring

American companies have unwittingly hired hundreds — maybe thousands — of North Korean workers for remote IT positions, according to the US Department of Justice, the FBI, the US State Department, and cybersecurity companies.

The sophisticated scheme, perpetrated by the North Korean government for years, partly funds that country’s weapons program in violation of US sanctions. 

Agents working for the North Korean government use stolen identities of US citizens, create convincing resumes with generative AI (genAI) tools, and make AI-generated photos for their online profiles.

Using VPNs and proxy servers to mask their actual locations — and maintaining laptop farms run by US-based intermediaries to create the illusion of domestic IP addresses — the perpetrators use either Western-based employees for online video interviews or, less successfully, real-time deepfake videoconferencing tools. And they even offer up mailing addresses for receiving paychecks. 

These North Korean government agents have landed positions at more than 300 US companies, including Fortune 500 corporations, major tech firms, cybersecurity consultant companies, and aerospace manufacturers. 

US officials estimate that the scheme generates hundreds of millions of dollars annually for North Korea, directly funding its nuclear and ballistic missile programs, as well as espionage. 

In addition to collecting the salaries, the North Korean government tasks these fake employees with stealing intellectual property (IP) and sensitive information and deploying malware in corporate networks that provides backdoors for future cyberattacks. 

Mandiant (Google Cloud’s cybersecurity division) discovered a list of email addresses created as part of a big North Korean operation targeting US companies in June 2022. Some 80 or so of these addresses were used to apply for jobs at critical infrastructure organizations in the US. At the time, Mandiant said the operation was a way to raise money for espionage and IP theft; Mandiant analyst Michael Barnhart said North Korean IT workers were “everywhere.” 

The number of North Korean agents seeking IT work in the US has increased in the past two years. 

In May, an Arizona woman named Christina Chapman was arrested and accused of conspiring with North Korean “IT workers” Jiho Han, Chunji Jin, Haoran Xu, and others (all allegedly working for the North Korean Munitions Industry Department) to illegally land remote jobs with US companies. This one band of criminals allegedly used an online background check system to steal the identities of more than 60 people to generate nearly $7 million for the North Korean government at more than 300 US companies, including a car maker, a TV network, and a defense contractor. 

Among her assigned tasks, Chapman maintained a PC farm of computers used to simulate a US location for all the “workers.” She also helped launder money paid as salaries (companies sent the paychecks to her home address).

The group even tried to get contractor positions at US Immigration and Customs Enforcement and the Federal Protective Services. (They failed because of those agencies’ fingerprinting requirements.) They did manage to land a job at the General Services Administration, but the “employee” was fired after the first meeting.

A Clearwater, FL IT security company called KnowBe4 hired a man named “Kyle” in July. But it turns out that the picture he posted on his LinkedIn account was a stock photo altered with AI. The company sent a work laptop to the address “Kyle” supplied, which was, in fact, a US-based collaborator. The “employee” tried to deploy malware on the company’s networks on his first day but was caught and fired. 

“He was being open about strengths and weaknesses, and things he still needed to learn, career path ideas,” Stu Sjouwerman, founder and CEO of KnowBe4, told The Wall Street Journal. “This guy was a professional interviewee who had probably done this a hundred times.”

What the hiring of North Korean agents says about US hiring

Statistically, it’s unlikely you or your company will hire North Korean agents. But knowing this can happen should raise questions about your corporate hiring practices and systems. Are they so inadequate that you could hire and employ someone who’s not who they say they are, does not have the experience they claim, does not live where they say they live, or who is illegal to hire?

The truth is that the world has changed, and hiring practices aren’t keeping up. Here’s what has changed, specifically, and what you should do to keep up: 

Remote work. Since the pandemic, remote work has been normalized. Along with this change, companies have also embraced remote interviews, hiring, and onboarding. A straightforward solution is to allow remote work, but build at least one in-person meeting into the hiring or onboarding process. Fly the would-be hire to your location and put them up in a hotel to sign the employment contract (this provides the added assurance of having their legal signature on file), or have them meet with a local representative where they are. Also: Protect access to work laptops or applications with biometrics and have them register those biometrics in person. That way, you’ll see that the applicant is who they say they are and that the ongoing work is really performed by the person you hired. You might also deploy a mobile device management solution to identify the location of provided laptops, tablets, or phones. 

Generative AI chatbots. One metric for gauging the communication skills of a prospective employee is to look at their resume and cover letter. But anyone can create such documents with flawless English using ChatGPT or some other chatbot. Clarity of communication in any written document tells you exactly nothing about the employee’s ability to communicate. Make a writing test part of the evaluation process, where the applicant can’t use AI help. 

Generative AI image tools. Thanks to widely available tools, anyone can create a profile picture that looks real. Never assume a photo shows what a person looks like. Physical characteristics shouldn’t play a part in the hiring anyway; headshots’ only role in hiring is to bias the hiring manager. 

Some things haven’t changed. It’s always been a good idea to check references to ensure prospective employees have worked where they say they’ve worked and have gotten the education and certifications they say they’ve gotten. 

Yes, malicious North Korean agents are out there trying to get a job at your company so they can funnel money to a despotic regime and hack your organization. 

But the broader crisis is that, thanks to recent developments in technology, you might only truly know who you’re hiring if you modify your hiring approach. 

Make sure you really know who you’re hiring and employing, and take the necessary steps now to be absolutely sure.