THREAT ADVISORY

i³ Threat Advisory: Inside the DPRK: Spotting Malicious Remote IT Applicants

Look out for resume inconsistencies. Included experience with technologies before those technologies had ever existed.
Suspicious virtual backgrounds could signify a working environment different than that expected of a work from home employee.
Review log sources from applications like Zoom when conducting the remote interview to determine if the remote worker matches any known indicators.

INTRODUCTION

Democratic People’s Republic of Korea (DPRK, a.k.a. North Korea) has increasingly been targeting western organizations to secure remote IT worker jobs in aerospace, defense, retail, and technology companies. This has been reported by Mandiant, CrowdStrike, and KnowBe4 all with observations and lessons learned from each of these sources. DTEX also has had firsthand experience identifying an apparent DPRK IT Worker during the early stages of an interview process. While initial incidents have been focused on the technology sector, the DTEX i³ team have observed indicators that other industries are also starting to be targeted.

The DPRK IT workers’ motivations include personal financial gain and state objectives using a technically proficient workforce that has been observed by other intel companies to sometimes be working multiple remote jobs at once. The nature of the positions they are obtaining often means the workers have elevated access to network and can freely modify code. This can lead to a raft of dire outcomes, including but hardly limited to IP theft, reputational damage, financial loss and disruption of critical services.

The significance of this threat from DPRK cannot be understated. DPRK has invested significant resources into STEM education for years, including nurturing individuals who show talent in computer science. These students are exposed domestically and internationally to technology to further their skillsets where some then will become part of DPRK cyber operations. The unfolding of their current campaign highlights the long-term planning underway that we are only beginning to see.

This iTA highlights DPRK’s focus on remote IT jobs, but we should remember that other nations, as noted in the i³ Threat Advisory: Disrupting Foreign Interference, may use similar tactics to target critical infrastructure in the west, possibly with even more dangerous motives.

Analyzing these cases, along with our own experience, can help develop strategies to address the DPRK IT worker issue and strengthen an organization’s overall insider risk management program.

This iTA will cover how to configure DTEX’s Leavers and Joiners early warning reports to specifically look at the correlation between new joiners with:

Unauthorized remote access tools
Anomalous geolocation of endpoints
Unauthorized mouse jigglers
Data hoarding
Negligent behavior alerts.

All of which are high-risk indicators of DPRK infiltration.

DETECTION

DTEX, Early Identification During Pre-Employment

Much like the recent KnowBe4 incident where a North Korean IT worker attempted to infiltrate the company. DTEX encountered a similar attempt but was able to identify and report the incident in the early stages of the recruitment phase. The potential DPRK IT Worker was applying for a remote frontend developer role, where the candidate’s inconsistencies raised red flags.

DTEX was able to identify the potential threat via:

Resume inconsistencies – included experience with technologies before those technologies had even been invented.

Suspicious virtual backgrounds – gap in Zoom virtual background indicated a call center rather than a home working environment.
IP IOCs in Zoom logs – claimed to be based in Bakersfield, CA, while IP logs from the Zoom interview showed they were in Dallas, TX—later linked to a known DPRK indicator of compromise (IOC). Confirmed within the recent Mandiant IOC list.

One of our technical interviewers flagged these issues, stopping the candidate’s progression and containing the threat. This highlights the power of human sensors – in our case, our trusted workforce – in the early detection of insider threats.

PRE-EMPLOYMENT DETECTION

There are many articles describing pre-employment detections, practices, and procedures that can be put in place. The key component will be data collection across the various teams involved from HR, to hiring managers, recruiters, and the technical team that may be part of the interview process. The following sections provide a summary of what to look out for based on our research and our own experience.

The Interview

Cameras on. This enables the interviewers to confirm the individual matches their online profiles and any provided identification. If possible, it may be good to ask for the candidate to not obscure their background which may provide more insight to their purported location. In our case, the individual had used a geometric background but in the gaps of the background it appeared they were in a call center style office space (even though claiming they were working from home).

Indications of cheating. This can apply to both coding questions or more technical questions about their background where the candidate may be reading from a script or receiving coaching prompts in a background application. Signs could include excessive pausing, stalling, eye scanning movements indicating reading, and giving incorrect yet plausible or broad answers to questions.

In person meet. A formal interview isn’t necessary. If you have employees in the same area as the applicant, having them meet for an informal “coffee” chat can help identify DPRK IT workers, as they won’t be in the country.

Interview call logs. Verify the IP address from the remote call (Zoom or Microsoft Teams) to see if it matches the candidate’s location and check it against known indicators of compromise (IOC). Keep in mind that adversaries often change tactics, so even if the IP seems fine, other signs might still indicate the candidate could be a DPRK IT.

The Resume

Train employees to look for inconsistencies. You will need to train all staff to look for broad IT consistencies when reviewing resumes. This could be completed by technical staff as part of the interview process, or it may be more efficient to teach HR or recruiters to look for this early on to save time. Items to look out for would be technologies listed under companies that are unlikely to use it, for example a candidate listing internal Amazon or Google technologies while working at Apple.

Another example would be if the technology listed did not exist during the years that candidate was working for the company. For example, FastAPI was first released December 5, 2018, but the candidate applying at DTEX listed it for a job they left in 2016. However, if it’s the only issue, it’s worth asking them to explain during the interview.

DPRK candidates often list education from countries like China, Japan, Singapore, or Malaysia, while most of their work experience is in the U.S. at major companies. This may be to make it harder to verify their references and education history.

The Follow-Up

Background checks for known identities. These could include collection of biometric data for comparison against known identities. Using the known identities can then be checked against banking accounts since most banks require stringent identity checks before opening an account. Part of the background check could also require a notarized (or sworn affidavit) of identity.

Social profiles and employment profile pictures. Examples of DPRK IT workers utilizing AI-generated or modified pictures have been found. A great example can be seen in the KnowBe4 writeup where the original was found and compared. Open-source tools can be used to try and determine whether an image has been modified by AI.

References background checking. Organizations could apply the same scrutiny to confirming the backgrounds of the references provided. It is important not to rely on email addresses only. Social profiles can be checked, and a video call set up with the references to ask them about the candidate. These steps may also protect against non-DPRK IT workers using falsified references.

POST-EMPLOYMENT DETECTION

If a DPRK IT worker or another malicious insider manages to pass pre-employment screening, it’s not the end. Organizations still have plenty of chances to detect and stop potential harm. By correlating new joiners in the organization with human and cyber indicators, behavioral patterns like “multiple logins from different IP addresses” and “abnormal file repository access,” will have a higher risk profile which can trigger proactive investigations.

Initial Employment During Week 1

Corporate laptop shipment. Make sure that that the corporate laptop is shipped to the address that the individual claims they live based on their identification and their answers during onboarding. Companies may choose to use couriers that also require ID checks and signatures before handing over packages.

Video call IT onboarding. This provides another opportunity to confirm the visual appearance of the employee with what has been saved on file. While on the call request they read out the serial number from the laptop, or maybe an asset tag number, to confirm they are also physically in possession of the laptop.

Hardware tokens for MFA. Require the use of hardware tokens for MFA to enforce physical access to the laptops. This is effective in the case of a remote-based DPRK IT worker but may not work in other scenarios.

New Joiner from Week 2 to 6

Remote access tools. DPRK has been observed to install multiple and varied types of remote desktop access tools. Allowlisting is the best way to prevent the use of these tools. Alternatively, monitoring their installation and usage can provide early warning signs. These could include applications that have dual use like the example given in i³ Threat Advisory: Zoom ‘Screen share and Control’: A Third-Party Security Risk.

Monitor for multiple logins from different IP addresses. This could be over a short period of time or over the course of a week. This could also include a cross reference of the geolocation of the employee on file versus the location of the IP address. Organizations can use websites like AbuseIPDB to gain insight on locations and abuse reports for certain IP addresses.

Multiple identities. When using the corporate device DPRK IT workers may perform other tasks or if different users are remoting in may use different account identities. As covered in our i³ Threat Advisory: Detecting the Use of Multiple Identities there are mitigations to detect this through the use of personal webmail or other social accounts.

Preventing or monitoring peripheral devices. While DPRK has been observed using “mouse jiggling” software this could be prevented under the application allowlisting mitigation. Another could be the use of IP-based KVM. These devices require an encoder and decoder on either end to function and will be connected via USB and HDMI. By restricting USB ports, organizations could mitigate these devices, hardware based “mouse jigglers”, and even exfiltration through USB.

Unapproved VPN services. Organizations are advised to have their own VPN to connect to the corporate network. Monitoring the use of additional VPNs services, particularly those listed on the IOC list, should be further investigated. Review of the employee’s IP can also be investigated when they are not on the corporate network which could reveal a geolocation contrary to their supposed location.

Abnormal file repository reconnaissance. If the motivation behind the DPRK IT workers employment is data exfiltration, which according to a quote from Adam Meyers occurs in 50% of observed cases by CrowdStrike, then the precursor will be the insider performing reconnaissance for the files within corporate repositories. Reviewing abnormal or excessive searches in SharePoint or code repositories could indicate early warnings signs. This could then likely lead to aggregation over time or all at once when the reconnaissance has been completed.

Ongoing Monitoring, Week 7+

Company culture of cameras on. Many companies still have a significant remote workforce. Encouraging a culture of cameras on can provide benefits within the workforce but also allow for continued monitoring for malicious insiders that may have infiltrated the organization.

Continuous training. Articles like this and others which summarize current trends and threats can be used as training material for your employees. Parts of the post-employment detection section will be valuable to all employees like the company culture of cameras on and what to look out for, but other sections may be useful for specific teams like the IT security or HR teams.

INVESTIGATION

DTEX InTERCEPT Detections

Detecting malicious insiders is an ongoing challenge for organizations, especially when insiders have legitimate access to corporate networks and systems. This risk is heightened for IT workers who often have elevated privileges, including global administrator access. To mitigate this risk, organizations can adopt best practices such as segregating duties, implementing role-based access controls for admin accounts, and ensuring that not all IT administrators have access to security tools.

During their initial employment period, user behavior may indicate suspicious activities, such as unusual exploration of file or code repositories, which a malicious insider could then try to exfiltrate. This report also highlights leavers however, the focus of this iTA will be on the high-risk indicators associated with DPRK IT Workers during their initial period of employment which includes:

Unauthorized remote access tools
Anomalous geolocation of endpoints
Unauthorized mouse jigglers
Data hoarding
Negligent behavior alerts.

This content is classed as “limited distribution” and is only available to approved insider risk practitioners. Login to the customer portal to access the indicators or contact the i³ team to request access.

HIGH-RISK INDICATORS

The high-risk indicators that are correlated with new joiners will now be explained in more detail in sections below. These searches can be used independently by organizations to review any activity that may be suspicious even for employees who have been working there for longer.

Unauthorized Remote Access Tools

There are two categories for remote access tools, hardware-based keyboard, video, and mouse (KVM) over IP devices and software applications. The hardware based KVM may be more difficult to detect especially if default settings have been altered as we will get into below.

TinyPilot is a keyboard, video, and mouse KVM over IP device which means the organization’s laptops would be connected to this device via a visual port and a USB port to then allow the DPRK IT workers to control the device from anywhere else in the world.

Since there is no software or drivers on the corporate endpoint it becomes very difficult to monitor the use of this type of activity. Luckily thanks to TinyPilot’s own FAQ they do provide some insight into indicators that still may be possible.

By default (these can be changed through configuration settings), the following indicators apply:

Network identifier hostname is set to tinypilot.
Manufacture name for USB connections is set to tinypilot.
Serial number for USB connections is set to 6b65796d696d6570690.
If you have a Pro version and mount virtual media the target machine will see the USB drive name as TinyPilot.

The remaining remote access utilities are all in the class of software and have process indicators which can be leveraged on an endpoint for detection. Obviously if organizations use any of these as approved tools, then the security settings for each should be researched to prevent end users from using their personal accounts or even geolocation restrictions implemented. Preventing users from using personal accounts on organization approved tools was a mitigation control recommended in i³ Threat Advisory: Zoom ‘Screen share and Control’.

The following is a quick summary of the remaining remote access tools seen used by DPRK IT workers:

RustDesk touts itself as “the open source alternative to TeamViewer” which will run on Windows, MacOS, Linux, and more. The source code is freely available on GitHub which means DPRK operatives could alter some of the source code to remove the detectable indicators. By design the core ports used by RustDesk are TCP 21114-21119 and UDP 21116 which most organizations with network security may block outgoing traffic from those ports by default. RustDesk does not currently offer a way to configure these ports but suggests administrators utilize proxies. Use of proxy tools by new users could be an additional indicator along with unknown applications with network connections if they have managed to recouple the source code removing the indicators.

AnyDesk will run on Windows, MacOS, Linux, and more. The website provides easily downloadable installers. Network connections are made through standard TCP ports 80 and 443, it can also use TCP 6568. As long as one of these ports are open it will establish a connection.

GoTo (LogMeIn has rebranded) provides a remote desktop solution for both Windows and MacOS through installers that can be downloaded via their website, or a link can be provided which will download an installer. Network connections are made through TCP ports 80 or 443.

Google Chrome Remote Desktop provides remote desktop access on Windows, MacOS, Linux, and ChromeOS. At least on a Windows OS it requires, and extension added to the browser and then an additional executable is download and installed to allow the remote desktop functionality. It is then controlled through the browser and runs on network ports TCP 443 and UDP 3478.

The following queries can be used to look evidence of each of the remote access utilities mentioned above.

The final remote access that is currently mentioned in reporting is VS Code Dev Tunnels, since Visual Studio has many features that can be used it is recommended organizations understand their own use cases and if not required prevent the use of code tunnels. General templates can be found here with specific guidance around code tunnels found here.

Visual Studio overall is currently under research and we hope to be able to leverage detections through the use of HTTP Inspection Filtering (HIF) in the near future.

Unauthorized Mouse Jigglers

Mouse jigglers or other types of anti-screen locking technologies should be monitored for since “Mandiant has observed instances of DPRK IT workers using the Caffeine mouse jiggling software to remain active across several laptops and profiles.”, according to their report.

Monitoring for this type of software is valuable as it violates security policies and may be a form of timecard fraud by employees. DTEX i³ teams ongoing research into mouse jiggling technology is tracking both software and hardware-based solutions.

CONCLUSION

The current campaign of DPRK IT workers attempting to, and in some cases succeeding at infiltrating private organizations highlights the investment and lengths a nation state will go to achieve their objectives of funding weapons projects and corporate espionage. The good news is there is a significant amount an organization can implement to protect themselves at all stages of a malicious insider’s lifecycle, from pre-employment through to the initial couple of months.

While indicators like IP addresses and template resumes may change or become more sophisticated, correlating job history and personal data with cyber indicators and behaviors will help defenders gain a clear understanding of the organization and its workforce.

INVESTIGATIONS SUPPORT

For intelligence or investigations support, contact DTEX i³team. Extra attention should be taken when implementing behavioral indicators on large enterprise deployments.

Where to report if you think you have been targeted:

US – The FBI urges victims of DPRK IT workers, or those who suspect they may have been victimized, to report the suspicious activity to the FBI Internet Crime Complaint Center (IC3) at ic3.gov.

UK – For cyber incidents not classed as an emergency (citizens are first directed to call 999) it is recommended to contact the National Cyber Security Centre (NSCS) via this form.

AUS – For cyber incidents not classed as an emergency (citizens are first directed to call 000) it is recommended to contact the Australian Cyber Security Centre (ASCS) via this form.

NZ – For cyber incidents requiring immediate support call (04) 498 7654 alternately contact the National Cyber Security Centre (NSCS) via this form.