In a recent SecureWorld Remote Sessions webcast, cybersecurity expert Roger Grimes of KnowBe4 shed light on a pervasive and insidious cyber threat: North Korea's "IT Army." These nation-state threat actors, as Grimes described, infiltrate companies worldwide by posing as IT contractors and employees, allowing the North Korean government to generate revenue and potentially compromise sensitive systems.
Grimes, KnowBe4's Data-Driven Defense Evangelist, opened the session with a warning. "This is about a huge, evolving threat," he said. "Hundreds of companies around the world, including major American firms, have accidentally hired North Korean employees pretending to be something else. And it's a really big problem." Grimes outlined KnowBe4's own recent experience, in which they identified and terminated an employee who was part of this covert operation.
According to recent reports by Recorded Future and Mandiant, Google's cybersecurity unit, this incident is part of a larger pattern. Mandiant's research identifies a North Korean group, tracked as UNC5267, which has been executing this scheme since at least 2018. These workers often reside outside North Korea, primarily in countries like China, Russia, and Malaysia, where they operate under the supervision of "minders" who control their activities and manage the revenue flow back to North Korea. The scale of these operations is significant: North Korean operatives reportedly hold multiple positions simultaneously and bring in substantial revenue that supports the regime's weapons programs.
"Every Fortune 100 organization should be thinking about this problem," warned Charles Carmakal, CTO of Mandiant, in a statement. "These IT workers could easily receive instructions to deploy ransomware and disable major organizations across the U.S. and Europe very quickly."
As Grimes outlined, these operatives leverage stolen or fictitious identities to obtain roles as remote contractors, primarily targeting technology and cybersecurity firms. The remote nature of today's work environment has made these schemes easier to pull off, particularly as many companies lack rigorous verification for remote staff. Mandiant's report further corroborates these tactics, noting that North Korean operatives frequently request that laptops be shipped to alternate addresses to be set up in "laptop farms," locations in the U.S. where local collaborators configure the devices with remote access tools like AnyDesk or TeamViewer.
KnowBe4 discovered their operative's intent when the newly-hired "employee" attempted to load password-stealing malware onto a company-issued device. The suspicious activity triggered alerts within KnowBe4's security operations center, leading to swift device isolation and investigation. Reflecting on the ordeal, Grimes said, "It was a wake-up call. We had robust background checks in place, but they passed every one using a stolen U.S. identity."
During the session, Grimes emphasized several red flags that companies should watch for to prevent similar incidents:
Reluctance to appear on video during interviews or meetings, although some operatives are increasingly willing to be on camera due to advancements in AI-generated images.
Mismatched locations and addresses, often requesting that laptops be shipped to a different address than the one listed on their resume.
Multiple jobs held simultaneously, a tactic that generates significant revenue for the North Korean government.
Poor language skills or inconsistent online profiles, such as fake or template-based GitHub accounts that lack a credible work history.
According to Grimes, even minor inconsistencies can be a clue. "We later learned that their resume picture was an AI-generated face overlaid on a stock image," he explained. "This level of deception shows how sophisticated they're getting."
With incidents of North Korean IT infiltration spanning companies from KnowBe4 to some of the largest U.S. firms, Mandiant and other experts recommend implementing rigorous hiring and onboarding practices to counter these threats. This includes verifying U.S.-based credentials, conducting in-person or on-camera identity checks, and flagging suspicious behaviors, such as frequent VPN usage or reluctance to engage in video communication.
Mandiant also suggests that companies go further by banning remote access tools and requiring employees to confirm physical device details during onboarding. For instance, asking new hires to read the laptop's serial number aloud helps confirm the device's physical presence and authenticity.
Grimes also highlighted the importance of internal education, advising: "Anyone involved in hiring or IT should understand the tactics used by North Korean operatives. Share the signs, adjust your processes, and make it harder for bad actors to slip through the cracks."
As Grimes and others in the field predict, foreign government-sponsored cyber infiltration will likely become even more sophisticated. Recorded Future's report reveals that, in recent months, the U.S. Department of Justice has prosecuted individuals running "laptop farms" and facilitating these operations for North Korea. However, given the level of deception and remote nature of these schemes, the threat remains high.
Grimes' message is clear for companies that hire remote IT talent: "Don't assume it can't happen to you. Every organization, regardless of size, needs to be vigilant. You might be one background check or video call away from hiring an operative for a foreign government."
SecureWorld's Remote Sessions webcast underscores the gravity of this issue and the steps companies must take to stay secure in a world where even job applicants can be Trojan horses for foreign adversaries.
You may register to view the webcast live or on-demand here.