North Korean ‘IT Workers’ Infiltrating US Organizations and Extorting Employers, FBI Warns

North Korea continues to put fake ‘IT workers’ inside US organizations for the purpose of data exfiltration and extortion, warns the FBI.

A public service announcement issued Jan. 23 aims to raise public awareness about North Korea’s “increasingly malicious activity.” The FBI noted that the trend not only hasn’t ended, but has been taken further by exfiltration of proprietary data (i.e. source code) and extortion.

“The Federal Bureau of Investigation (FBI) is providing an update to previously shared guidance regarding Democratic People's Republic of Korea (North Korea) Information Technology (IT) workers to raise public awareness of their increasingly malicious activity, which has recently included data extortion,” according to the PSA.

“FBI is warning the public, private sector, and international community about North Korean IT workers' continued victimization of US-based businesses,” reads the memo. “In recent months, in addition to data extortion, FBI has observed North Korean IT workers leveraging unlawful access to company networks to exfiltrate proprietary and sensitive data, facilitate cyber-criminal activities, and conduct revenue-generating activity on behalf of the regime.”

Waiting to be discovered

After being discovered on company networks, the perps start extorting their employer by holding stolen proprietary data and code hostage unless the victim company pays a ransom. In some instances, the “workers” have publicly released victim companies' proprietary code, says the bureau.

“North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts,” according to the notice. “While not uncommon among software developers, this activity represents a large-scale risk of theft of company code.”

The fake employees are also believed to be harvesting company credentials and session cookies to initiate work sessions from non-company devices and to expand their window of opportunity for further compromise.

Steps to mitigate the ‘IT worker’ threat

The PSA includes a list of mitigation actions, such as:

·      Practice the Principle of Least Privilege on your networks, to include disabling local administrator accounts and limiting privileges for installing remote desktop applications.

·      Monitor and investigate unusual network traffic, to include remote connections to devices or the installation/presence of prohibited remote desktop protocols or software. North Korean IT workers often have multiple logins into one account in a short period of time from various IP addresses, often associated with different countries.

·      Monitor network logs and browser session activity to identify data exfiltration through easily accessible means such as shared drives, cloud accounts, and private code repositories.

·      Monitor endpoints for the use of software that allows for multiple concurrent audio/video calls.

HR departments are also urged to bolster their hiring process by implementing identity-verification processes during interviewing, onboarding, and throughout the employment of any remote worker.

The rogue applicants have been observed using face-swapping technology in video job interviews to obfuscate their true identities, the PSA mentions. The advisory includes several more tips for HR departments:

·      Educate HR staff, hiring managers, and development teams regarding the North Korean IT worker threat, specifically focusing on changes in address or payment platforms during the onboarding process.

·      Review each applicant's communication accounts as North Korean IT workers have reused phone numbers (particularly voice-over-IP numbers) and email addresses, on multiple resumes purportedly belonging to different applicants.

·      Verify third-party staffing firms conduct robust hiring practices and routinely audit those practices.

·      Use "soft" interview questions to ask applicants for specific details about their location or education background. North Korean IT workers often claim to have attended non-US educational institutions.

·      Check applicant resumes for typos and unusual nomenclature.

·      Complete as much of the hiring and onboarding process as possible in person.

If you suspect you have been targeted by this threat, FBI recommends reporting it to the bureau’s Internet Crime Complaint Center (IC3) at www.IC3.gov as quickly as possible.

“Evaluate network activity from the suspected employee and their assigned device(s), and use internal intrusion-detection software to capture activity on the suspected device(s),” the memo adds.

Protect your office

As we note in our comprehensive guide to cyber-proofing a business, cybersecurity is no longer a concern solely for large corporations. Today’s offices increasingly find themselves in the crosshairs of cybercriminals, not least of which rogue employees.

Our guide lays out key aspects such as: protecting your data, spotting deceptive emails and impersonation attacks, securing partners and vendors, and turning your team into a defense line against malice.

Read: Small Office, Big Threats: 7 Ways to Cyber-Proof Your Business in 2025

Bitdefender recommends that companies big and small deploy a dedicated security solution to limit the chances of a breach.

Bitdefender Ultimate Small Business Security is an extended version of our consumer-friendly security suite. It includes malware detection, ransomware prevention, email protection, account breach protection, scam protection, and a trusty VPN. Thanks to a natural, intuitive dashboard designed for use even by non-techies, it can be administered by anyone in your organization.

To see it in action, visit https://www.bitdefender.com/en-us/consumer/small-business-security.