North Korean Hackers Leverage AI to Infiltrate Western IT Jobs

North Koreans Still Working Hard to Take Your IT Job: 'Any Organization Is a Target'

What are the chances your company accidentally hired a North Korean hacker? At the RSAC Conference in San Francisco, the FBI and security experts warned that the threat is widespread, despite ongoing efforts to crack down. "In the last 90 days, we've seen over 90 incidents. So you're looking at about one per day," said Adam Meyers, SVP for intelligence at cybersecurity vendor CrowdStrike. "Those are high-paying developer jobs, [so] you're seeing millions of dollars" flowing to the North Korean regime. Microsoft security analyst Greg Schloemer echoed that warning. "We continue to see a real high volume of this activity," he said, despite the FBI and cybersecurity community becoming more vocal about the problem. "Any organization is a target," he added. "There may be a misconception that large organizations are particularly vulnerable. But we have seen five-person teams fall victim to this kind of activity." While it's difficult to quantify the threat, "Microsoft is tracking somewhere in the order of thousands of personas and identities that are used by North Korean IT worker operators," Schloemer said. "So, it's certainly a high volume operation." In addition, uncovering one North Korean IT worker scam can often reveal many others. A year ago, CrowdStrike kicked off an effort to hunt malicious insiders at companies, Schloemer said. That investigation discovered 30 organizations victimized by an insider threat that law enforcement had recently uncovered at a defense company. "Lo and behold, we found every single customer that we spoke to told us it was a true positive," Meyers said. In some cases, victim companies had ignored signs that they had accidentally hired a North Korean as a remote IT employee for as long as 14 months. During the RSAC panel, FBI agent Elizabeth Pelker also mentioned facing "200 plus victim notifications" as investigators uncovered more North Korean IT worker schemes last year. The threat has also proliferated with the help of US-based residents. North Koreans will pay these middlemen to receive and set up corporate laptops sent from their employers, sometimes unaware that they're helping malicious hackers. "Generally, these individuals have been recruited online to host these laptops, thinking that overseas actors are based in China, and that they're just doing these guys a favor," Pelker said. "It starts with maybe one or two laptops, and then we'll see upwards of 90 laptops at one person's residence." In some cases, the North Korean IT workers perform the bare minimum. But in other cases, they are excellent workers. "More often than not, I always get the comment, 'Oh, but Johnny is our best performer. Do we actually need to fire him?" Pelker said. Hiring North Korean workers poses a grave security threat, of course. Operatives steal confidential data from victim companies with the goal of blackmailing their employers. RSAC panelists warned that the same access and data could be handed off to North Korea's more elite state-sponsored hackers, who specialize in cyberespionage. To pull off the scheme, the North Koreans harness generative AI to help them create numerous fake LinkedIn profiles seemingly loaded with real photos and career histories. They can then use elaborate AI-powered deepfakes during video call interviews to change their faces in real-time, said Chris Horne, director of safety and trust at Upwork. "The people who are actually going through the interview themselves are highly trained, they know exactly the kind of questions they'll be asked," he said. Schloemer said it's vital that companies scrutinize any employees from third-party recruiting firms, which may have more opaque hiring processes. "Third-party staffing firms are probably the largest vector for these actors to gain access to your organization," he said. Meanwhile, Meyers said companies can consider asking during a job interview, "How fat is Kim Jong Un," to see if the employee is willing to malign the leader of North Korea. "They terminate the call instantly," he said. "That actually does have some merit when you ask that question."

To Land Remote Jobs, North Koreans Use AI for Mock Interviews

North Korean hackers are increasingly using AI tools to help scam their way into remote IT jobs. Okta, which provides sign-in services for thousands of businesses, has been investigating what online services North Koreans use to help them secure remote IT jobs, despite US sanctions. Its findings, released today, suggest that North Koreans are leaning on generative AI services to find jobs, apply for them, and support them during the interview process. Okta paid special attention to the middle-men "facilitators" that North Koreans hire to help them nab the jobs. For example, federal investigators arrested two US citizens in January for doing just that. Last year, another man in Nashville, Tennessee, was arrested for running a "laptop farm" to help North Korean workers pretend to be US-based IT workers. Okta says these facilitators have been found using a variety of generative AI services that can help streamline the North Korean's fraudulent activities. For instance, one AI service offered "unified messaging," letting a user manage multiple mobile phone accounts, instant messaging accounts. and email accounts. In other cases, facilitators used "services that provide 'AI Superpowers' to job applicants to help them 'outsmart employers' robots,' in order to improve the chances of a job application successfully progressing past the automated CV/resume scans used in recruiting platforms," Okta said. The research also spotted the facilitators accessing services that offer AI programs that can conduct mock interviews and provide tips on how to improve. Okta suspects the North Koreans were also using these services to test-run their AI-powered deepfakes, which can mask their real identity during a video call. Increasingly, HR firms have spotted scammers using such deepfakes to face-swap their identity, even during real-time video calls. "The scale of observed operations suggests that even short-term employment for a few weeks or months at a time can, when scaled with automation and GenAI, present a viable economic opportunity for the DPRK [Democratic People's Republic of Korea]," Okta concluded. According to federal investigators, North Koreans are obtaining the remote IT jobs to generate funds for their country's government. In some cases, the North Koreans will even steal confidential data from their employer and demand a ransom. In response, the FBI and cybersecurity vendors are urging companies to strictly vet candidates for remote jobs. Okta didn't elaborate on how it investigated the fraudulent remote IT worker schemes. But the report mentions that it was able to observe such activities through Okta login pages.

There's one question that stumps North Korean fake workers

FBI and others list how to spot NK infiltrators, but AI will make it harder RSAC Concerned a new recruit might be a North Korean stooge out to steal intellectual property and then hit an org with malware? There is an answer, for the moment at least. According to Adam Meyers, CrowdStrike's senior veep in the counter adversary division, North Korean infiltrators are bagging roles worldwide throughout the year. Thousands are said to have infiltrated the Fortune 500. They're masking IPs, exporting laptop farms to America so they can connect into those machines and appear to be working from the USA, and they are using AI - but there's a question during job interviews that never fails to catch them out and forces them to drop out of the recruitment process. "My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly, because it's not worth it to say something negative about that," he told a panel session at the RSA Conference in San Francisco Monday. Meyers explained the North Koreans will use generative AI to develop bulk batches of LinkedIn profiles and applications for remote work jobs that appeal to Western companies. During an interview, multiple teams will work on the technical challenges that are part of the interview while the "front man" handles the physical side of the interview, although sometimes rather ineptly. "One of the things that we've noted is that you'll have a person in Poland applying with a very complicated name," he recounted, "and then when you get them on Zoom calls it's a military age male Asian who can't pronounce it." But it works enough that quite a few score the job and millions of dollars are being funneled back to North Korea via this route. Once placed in the coveted role, such workers are usually very successful in the company, since they have multiple people working on one job to produce the best work possible - with the hope of getting promotion and more access to the business' systems - explained panelist FBI Special Agent Elizabeth Pelker. "I think more often than not, I get the comment of 'Oh, but Johnny is our best performer. Do we actually need to fire him?" she said. The aims of these phony workers are two-fold, she explained. Firstly, they earn a wage and use their access to steal intellectual property from the victim. This is usually exfiltrated in tiny chunks so as to not trigger security systems. One mitigation strategy, she said, was to insist that any interviewee performed coding tests within the corporate environment. These allow the actual IP being used to get checked, interviewers to see how often the prospect is switching between screens, and can allow other clues to leak out that all is not as it seems. If the interloper is exposed and fired, however, they will usually have already collected login details, planted unactivated malware, and will then attempt to extort the maximum they can from the victim. She urged anyone who spots a fake employee to contact their local FBI field office immediately. But the attackers are getting smarter, and in some ways the FBI is a victim of its own success. The agency has been distributing advice to US companies but these memos are also being read in Pyongyang and the workers are adapting their tactics. This sometimes involves using both aware and unwitting accomplices. For example, to get around the IP address problem, laptop farms are springing up over America. If an applicant gets a job, the firm will usually send him a laptop, at which point the interviewee explains that they've moved or have a family emergency, so could they send it to a new address please? This is most likely a laptop farm, where someone in the US agrees to run the laptop from a legitimate address for a fee, typically around $200 a computer, according to Meyers. Last year the FBI busted one such operation in Nashville, Tennessee, and charged the operator with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to cause the unlawful employment of aliens. Rather than creating identities, the North Korean workers have now taken to either stealing the ones they want, or fooling people into handing them over for a good cause. There's a growing business in Ukraine of convincing people to share their identity with third parties under the pretext of using them against Chinese agents who are propping up Russia. "Unfortunately, because this is supporting North Koreans, the money then goes back through to filter through to North Korea regime," said Chris Horne, senior director at jobs site Upworthy. "Then, in turn, it goes to support the troops that come back in through Russia. So they're basically paying for their own demise in Ukraine right now." We've also seen deepfake job interviewees that are good enough to fool IT professionals, sometimes more than once. This technology is only improving and will get more and more convincing, Pelker warned. The key to fixing this, the panelists agreed, was to educate everyone in the interview process - right down to the lowest staffer - and to be hyper vigilant for warning signs. If possible, they said, one should have someone local swing around for a personal meeting, and maybe also avoid hiring fully remote employees. ®

North Korean hackers are using advanced AI tools to help them get hired at Western firms

This is an escalation from an existing fake interview campaign New research from Okta has revealed that hackers from the Democratic People's Republic of Korea (DPRK), are using generative AI in its malicious interview campaign - a series of tactics that involve gaining employment in remote technical roles in western firms, usually in industries with sensitive security data like defense, aerospace, or engineering. This isn't the first time North Korean fake job hackers have gone the extra mile with their campaigns, but the new research has found that GenAI is playing an integral role in the employment schemes. The AI models are used to "create compelling personas at numerous stages of the job application and interview process" and then, once hired, GenAI is again used to assist in maintaining multiple roles, all earning revenue for the state. AI was used by these hackers in a number of ways, including generating CVs and cover letters, conducting mock interviews via chat and webcam, translating, translating, and summarising messages, as well as managing communications for multiple jobs from different accounts and services. To assist, the hackers have a sophisticated network of 'facilitators' that provide in-country support, technical infrastructure, and "legitimate business cover" - helping the North Koreans with domestic addresses, legitimate documents, and support during the recruitment process. The campaign is growing ever more sophisticated, especially given that hackers are now using both sides of the job seeking process, targeting job seekers with fake interviews, in which they deliver malware and infostealers. These elaborate schemes often start on legitimate platforms like LinkedIn or Upwork - with the attackers reaching out to victims to discuss potential opportunities. Anyone on the job hunt or in the hiring process should be extra vigilant about who they are speaking to, and should be careful not to download any unfamiliar software.