Since at least 2020, North Korean (DPRK) state actors have covertly embedded remote IT workers within global organizations. These operatives often pose as freelance developers, systems administrators, and DevOps engineers. To support their deception, they craft fake identities using AI-generated headshots, voice-changing software, and forged or stolen documents. In order to remain undetected, they rely on anonymization tools such as VPNs, VPS laptop farms, and remote management software. Once integrated into organizations, these individuals act as trusted insiders with access to sensitive internal systems and intellectual property. Their objectives extend far beyond earning wages. They have been known to funnel millions of dollars in stolen cryptocurrency back to North Korea, directly violating international sanctions. In addition, they exfiltrate proprietary data, source code, and restricted technologies that could be repurposed for military or espionage use. Some also contribute to ransomware deployment and extortion schemes. By blending seamlessly into global IT workforces, these operatives pose a serious threat to commercial enterprises and critical infrastructure around the world.
Detections
Enable detections →- Execution of User Activity Simulation Tools
- Risky Ping Identity Login
- Monitor for installation or execution of remote access tools not approved in your environment
- Detect Python scripts executing from non-standard locations or with network activity
- Detect logins from valid accounts originating from unusual locations, devices, or at abnormal times
- Alert on unauthorized financial transactions or changes to payment configurations
- Monitor for C2 communication over HTTP/HTTPS to uncommon or newly registered domains