By Glenn Chafetz

U.S. government and private cybersecurity teams are now well aware that information technology (IT) workers from the Democratic People’s Republic of Korea (DPRK) have infiltrated the computer systems of thousands of U.S. companies, posing a significant cybersecurity threat, weakening U.S. national security, and helping North Korea circumvent sanctions. Yet neither the government nor the private sector has made substantial progress in addressing the problem. Two related factors explain the persistence and growth of the phenomenon. First, DPRK operatives and their U.S. facilitators are adapting their tactics to evade detection, for example by using falsified and synthetic identities or stolen, real identity documents. Second, private firms consistently underestimate the scale of the threat, precisely because detection is difficult and underreported—which contributes to a vicious cycle of underfinanced countermeasures.

The U.S. Department of Justice estimates that thousands of North Korean IT professionals operate globally. The cybersecurity firm Mandiant reported that dozens of Fortune 100 companies unknowingly employ North Koreans. However, industry sources say that the scope of the DPRK IT worker threat is vastly underreported and quietly consuming the capacity of overburdened and underfunded security teams across the economy, diverting attention from cyber intrusion activities conducted by other actors like China, Russia, Iran, and the DPRK itself. Despite growing awareness among security professionals, most companies continue to minimize security threats, primarily because risks remain diffuse, indirect, and difficult to measure.

One reason risks are difficult to measure is that DPRK operatives and their U.S. facilitators have made detection more difficult by using increasingly sophisticated tactics to counter the modest security and vetting processes that American companies have put in place. Nearly every step of the hiring, vetting, and employment process has been infiltrated by proxies, including Americans, who act on behalf of DPRK nationals; industry representatives have observed college students and retirees readily accept payment to help the DPRK gain access to private U.S. IT systems.

Although techniques for evading detection continue to evolve, they have always been a key part of the North Korean strategy. When the DPRK IT workers first started infiltrating U.S. companies, they occasionally stole intellectual property or inserted malware in the systems they administered, but their main objective was to remain unnoticed and generate steady revenues by simply doing their jobs and earning their salaries. This approach succeeded. The U.S. government (USG) sounded the alarm, but American companies still behaved as if they saw no clear risk emanating from either the DPRK or USG regulatory action, as I explain below. 

Providing material support to North Korea violates many laws, regulations and sanctions, but the USG views American firms that unknowingly hire outsourced North Koreans as victims rather than negligent or complicit actors. The USG could begin treating these cases as it does violations of export controls or sanctions. However, this is unlikely in the near term because the United States lacks the resources and means for effective enforcement across a massive number of potential violators. Moreover, neither the previous nor current administration has shown any appetite for imposing the criminal or administrative penalties required to incentivize companies to act. As a result, U.S. firms inadvertently channeling money to the DPRK face no or minimal regulatory consequences for doing nothing.

Moreover, many U.S. firms focus on the perceived benefit of low-cost, competent IT support, failing to acknowledge or even recognize their role in sustaining the problem. As one finance professional lamented to the author, managers will not spend money on an issue unless its impact on the bottom line is clear. They see North Korea’s enhanced ability to strike the United States with nuclear weapons as a national security problem, not a corporate risk.

Recently, however, the immediate incentives for Western firms to pay more attention to the North Korean IT worker threat have increased. The DPRK has added ransomware and extortion to its tactical repertoire, meaning businesses face all the direct, immediate, and measurable costs entailed by cyber intrusions, data and IP theft, and interruption of operations. Since the DPRK IT workers have systems access, they have a much greater opportunity to choose when and how to disrupt their host’s operations than if they were external hackers.

Still, even when business leaders can appreciate the risks they face, they still fail to understand their critical role in response and mitigation. Private firms are not willing to spend beyond the bare minimum to protect themselves, and many continue to believe that this is only the government’s job. The FBI, which takes point on this issue, cannot investigate what companies themselves fail to detect and report. The Bureau lacks preemptive investigative authorities (that is, it does not do pre-crime). Moreover, with only 10,100 special agents to cover the entire United States, the FBI lacks the resources to meet its existing, authorized responsibilities. Therefore, the private sector must play the main role in its own defense. At a minimum, this requires vetting all contractors and subcontractors in order to identify DPRK IT workers before they are hired. This involves human resources, legal, and security, and not just IT.

Detection requires that companies understand the following tactics:

1. Job Hunting Websites: DPRK IT workers often find their surrogates via U.S. job hunting websites. This is a key step in the process and shows the scale of the problem; DPRK organizers have invested significant time and resources on advertising, recruiting, and vetting prospective surrogates. Initial contact with proxy candidates takes place on job sites, then migrates to encrypted commercial messaging apps like WhatsApp, Signal or Telegram. The DPRK national then tasks the surrogate to create a new biography, education and experience history for posting on job sites for IT positions.

2. Fake Identification Documents: Surrogates often create fake identification documents. Some of these IDs may not pass the scrutiny of an actual physical inspection by the hiring firm, but will be of sufficient quality to pass video verification or email submissions. At least one industry source said that the DPRK tries to recruit U.S. DMV employees to produce authentic IDs for use in DPRK operations.

3. Drug Test Manipulation: DPRK workers recruit employees of U.S. drug testing companies to alter drug testing records and ensure the IT worker passes a drug screening. If at the end of this process, the ruse succeeds and the proxy acquires a position, the DPRK national often pays a bonus to the surrogate.

4. Corporate Laptop Interception: North Koreans use commercial post office (PO) boxes as “drop shipment” sites for corporate laptops, where companies send devices that are then      picked up by proxies and delivered to DPRK IT workers abroad or to other U.S.-based proxies. U.S. companies rarely, if ever, scrutinize the addresses of their new hires, allowing the repeated use of these addresses across industries with impunity. Some of these PO boxes were found to be registered to convicted U.S. felons, indicating some level of coordination between the DPRK and U.S. criminal groups. 

5. Shared Phone Numbers: North Koreans use the same tactic for phones. They share Skype or Google Voice numbers across multiple devices for mutual call tracking so that the North Koreans and their U.S. surrogates can coordinate communications with unwitting employers. Proxies also record all interviews and meetings with the IT workers for the same purpose.

     Once companies commit to act, they should take five main steps to protect themselves:

1. Recognize the Full Scope of the Threat: U.S. companies must understand that the consequences of the DPRK’s widespread, unchecked presence in American IT systems are catastrophic and include the loss of access to systems, interruption of business operations, theft or destruction of data and IP, and all the attendant revenue losses—not to mention a nuclear attack on the United States.     

2. Prioritize the Threat Within Cybersecurity Teams: Make the DPRK IT worker threat a priority for company cybersecurity teams. Many in-house cyber and threat intelligence teams do not consider the DPRK IT worker problem to be an advanced persistent threat, and therefore do not consider it worthy of attention. This is a mistake.

3. Implement Rigorous Vetting Procedures: Vet all contractors and subcontractors. This is good practice for all personnel with access to company information, but is crucial for IT because of its critical role in business operations. Impose sanctions on contractors who fail to vet their subcontractors.

4. Stay Informed on Threat Actor Tactics: Keep up to date with threat actor tactics, as described above, and take appropriate action. Train company personnel on how to recognize North Korean IT threats and tactics. Investigate all addresses of subcontractors to ensure that they are not PO boxes and not shared across other IT workers. Investigate phone numbers in the same way. Disable and disallow recording of interviews and communications. Insist on seeing identification documents and running them through verification software. Crosscheck biographical information across multiple sites. 

5. Increase Information Sharing: Recognize that the DPRK IT worker problem is much larger than reported, which means companies are underestimating the probability that they are affected. It is critical that companies report findings and suspicions, and share information with law enforcement and other companies. Underreporting leads not only to underestimation of risk but also direct failures to remove bad actors and prevent further harm. Lack of reporting has led to situations in which DPRK IT workers, who have been discovered by one company, have then gone on to work with other outsourcing companies. 

These recommendations are not costly. They are certainly less expensive than bringing all IT services in-house, which is the only guaranteed way of reducing the outsourcing risk to zero. Most of the suggested mitigations are behavioral, such as sharing information with law enforcement and other companies. Some of these actions, such as establishing a program to vet IT contractors and subcontractors, do carry additional costs, but failing to implement such a program will prove significantly, and possibly catastrophically more expensive than doing so. Yet, private sector responses to the threat currently remain insufficient. This is likely because while business leaders may accept the assertions about the costs and benefits of countering the DPRK IT threat in the aggregate, they convince themselves that such assertions do not apply to their individual companies. The costs of security countermeasures are concrete, immediate and certain. The consequences of failing to bear the costs are abstract, delayed, and probabilistic. It is unlikely that this will change before the problem worsens, unless the USG can compel or incentivize sufficient private sector action.

Apple wireless (Korean) keyboard is by Rupert Kim and is licensed under CC BY-SA 2.0.