The Rise and Risk of the Fake Employee: How CISOs Respond

Phil Muncaster asks what security leaders can do to tackle the mother of all insider threats

Human ingenuity seems to thrive in adversity. For a hermit nation starved of most legitimate ways to enrich itself – short of arms sales and military cooperation – North Korean has found some innovative workarounds. First came a wave of cyber-heists targeting banks and cryptocurrency firms. Now it is complementing these raids with a newer scheme to find overseas employment for its IT workers.

The challenge for Western firms, and increasingly those in the UK, is rooting out these wrongdoers before they get through the virtual door – and privileged access to the corporate crown jewels.

The unusual tale of Jasper Sleet

According to Microsoft, the North Korean government’s “fraudulent remote worker scheme” has been around since at least 2020, placing thousands of IT workers in employment. Initially focused on US technology, critical manufacturing and transportation sector companies, there are signs that it’s expanding its reach and evolving its tactics to stay under the radar. That’s bad news for those organisations targeted, who are effectively subsidising an autocratic state’s nuclear and missile programme, while exposing themselves to the risk of extortion and data theft.

The scheme, which Microsoft dubs “Jasper Sleet” (Storm-0287), involves IT workers usually located in China or Russia.

“They create, rent, or procure stolen identities that match the geo-location of their target organisations (for example, they would establish a US-based identity to apply for roles at US-based companies), create email accounts and social media profiles, and establish legitimacy through fake portfolios and profiles on developer platforms like GitHub and LinkedIn,” Microsoft explains.

“I think the biggest lesson we learned is that this threat is greater and has been operating far longer than most people think” Brian Jack

“Facilitators play a crucial role in validating fraudulent identities and managing logistics, such as forwarding company hardware and creating accounts on freelance job websites. To evade detection, these workers use VPNs, virtual private servers (VPSs), and proxy services as well as RMM tools to connect to a device housed at a facilitator’s laptop farm located in the country of the job.”

Increasingly, they’re also using AI tools, like deepfake images, face-swapping features and voice-changing software to hide their true identity. This was what tricked security vendor KnowBe4 into hiring a software engineer from North Korean. Last December, the firm revealed how the worker passed four separate video conference-based interviews, as well as a background and pre-hiring check. He used an AI-enhanced photo combined with stolen identity to do so, and was only stopped after the firm detected him attempting to plant malware on a company PC.

“I think the biggest lesson we learned is that this threat is greater and has been operating far longer than most people think. No region or organisation is immune,” KnowBe4 CISO, Brian Jack, tells Assured Intelligence. “It is likely that by the time you start to hear about a threat, it is already established. I believe that the DPRK IT worker threat has been operating across Europe for some time and it is just now getting some attention.”

From the US to the UK

The scale of the challenge is surprisingly great. Microsoft says the US government found that over 300 domestic companies, including several Fortune 500 firms, had unwittingly fallen victim. One indictment from January charges two North Korean nationals and three facilitators for generating revenue of $866,255 from 10 of at least 64 companies they worked at.

Another, from June, describes 29 known or suspected “laptop farms” across 16 states, and a conspiracy by several Chinese, US and Taiwanese nationals to facilitate remote IT work at over 100 US companies. This scheme hich resulted in losses of $3m. In one case, a fake IT worker accessed to sensitive data and source code related to AI technology used at a defence contractor.

“Europe needs to wake up fast” Jamie Collier

Microsoft in June suspended 3,000 Outlook and Hotmail accounts it believes were created by North Korean IT workers. The bad news is that as the US gets wise to the threat, it is beginning to cross the Atlantic. Google warned recently that UK companies in particular are being singled out.

“Europe needs to wake up fast,” argues Jamie Collier, lead threat intelligence advisor, Europe, at Google Threat Intelligence Group. “Despite being in the crosshairs of IT worker operations, too many perceive this as a US problem. North Korea’s recent shifts likely stem from US operational hurdles, showing IT workers’ agility and ability to adapt to changing circumstances.”

Collier tells Assured Intelligence that this is just the latest pivot by Pyongyang in what has been a “decade of diverse cyber attacks”, that began with targeting the SWIFT payments network and more recently turned to massive crypto theft. He warns: “This relentless innovation demonstrates a longstanding commitment to fund the regime through cyber operations.”

How to respond

Microsoft has shared a lengthy list of steps that organisations can follow to help mitigate the risks outlined above. Its three-point plan involves: proper vetting for freelance workers and vendors; improved monitoring for anomalous activity; and following incident response workflows with the insider risk team. Yet tactics, techniques and procedures (TTPs) are evolving all the time – especially use of AI.

Dominic Forrest, CTO at London-based security vendor iProov, warns that 62% of IT decision makers are concerned their organisation isn’t doing enough to counter deepfake threats. He tells Assured Intelligence that even some forms of multi-factor authentication (MFA) can be undermined by sophisticated actors.

“CISOs should consider biometric MFA with liveness detection which makes sure the right worker is authenticating” Dominic Forrest

“Businesses must consider the full lifecycle of worker authentication: from the first time a candidate is contacted for an interview and onboarding, to regular identity checks and complete offboarding. The primary and most critical step for CISOs is to implement robust, modern authentication measures that incorporate strong factors,” he adds.

“Specifically, CISOs should consider biometric MFA with liveness detection which makes sure the right worker is authenticating, not just anyone using that worker’s credentials. This is crucial because, unlike static methods that can be bypassed, liveness verification confirms a live human is present in real-time, not a photo, video, or AI-generated fake.”

KnowBe4’s Jack argues that DPRK threat actors are finding it too easy to get around routine employee and third-party screening, and fixing it demands closer collaboration between IT security and HR functions.

“The hiring teams need to be trained on detecting the threat in the same manner that infosec teams are,” he says. “Perform a stronger identity verification check in combination with routine background checks for new hires. Change up some interview questions to be more personable, and validate aspects of the person and not just the technical background and business skill.”

Above all, CISOs need to understand that this is not a niche threat, Jack warns.

“I urged the CISOs that I have spoken with, who didn’t believe they were affected, to check out their talent pipeline for any remote engineering or technology positions,” he concludes. “Once they knew some things to check on a resume or application they realised they were fielding resumes from DPRK IT workers and didn’t even know.”