A new Mandiant investigation has revealed that workers from the Democratic People's Republic of Korea (DPRK) have posed as other nationalities to be hired by Western companies and infiltrate their systems.
A facilitator was found to have been helping IT workers use the stolen identities of more than 60 US citizens at more than 300 companies, resulting in more than $6.8 million in revenue for IT workers at the DPRK between 2020 and 2023.
The US Department of Justice has reportedly arrested and charged several US citizens with running “laptop farms”, which would house equipment that US companies would send to new “employees”. Once received, a facilitator would install remote access technology, allowing North Koreans to log in from abroad.
Stolen credentials
The tactic was first deployed in 2022, when the US government issued a warning that DPRK workers were taking advantage of remote employment opportunities to gain privileged access and enable malicious cyber activities.
By using 'front companies', thousands of people were able to earn salaries, sometimes in multiple companies, ostensibly to generate income for the DPRK. The access that workers gained to American technology companies could be used for intrusions or cyberattacks.
“The biggest concern I have is what happens if these threat actors go undetected for long enough and are eventually given an order by the North Korean regime to launch a large-scale attack,” said Michael Barnhart, principal analyst at Mandiant.
While this may seem a bit far-fetched, it is not the first time that DPRK threat actors have used the labor market to deceive unsuspecting Westerners. Earlier this year it was reported that cybercriminals in the DPRK posted fake job advertisements to trick candidates into downloading malware.
To mitigate risks, Mandiant recommends conducting spot checks that require remote employees to be on camera, training employees on how to spot suspicious activity, and requiring U.S. bank accounts for all financial transactions, as US accounts require a strict verification process.
Through registration