An American collaborator assisting fake North Korean IT workers to secure jobs at US companies generated approximately $7 million in revenue over three years, underscoring the profitability of a growing threat with serious nuclear weapons implications.
According to fresh documentation from Google’s Mandiant unit, the revenue generated by the fake IT worker scheme can be substantial with a single American facilitator helping to compromise over 60 identities, impacting 300 companies, and generating $6.8 million in illicit revenue between 2020 and 2023.
The calculation comes as more US companies admit to falling victim to a sophisticated ruse that has seen the North Korean government infiltrating thousands of US tech companies using stolen identities, fabricated resumes, and shell companies to help IT workers secure remote jobs.
The goal is to generate revenue for the North Korean regime, evade international sanctions, and fund its nuclear and ballistic missile programs, Mandiant said in a report that tags the operation as UNC5267.
Though not a centralized group, Mandiant revealed that UNC5267 operators are primarily based in China and Russia and often hold multiple jobs simultaneously, using sophisticated evasion tactics like front companies and money laundering, facilitated by intermediaries or “facilitators.”
In one prominent case, security awareness training firm KnowBe4 said a North Korean operative posing as a software engineer slipped past its hiring background checks and spent the first 25 minutes on the job attempting to plant malware on a company workstation.
KnowBe4 said its security team detected suspicious activities coming from a newly hired Principal Software Engineer’s workstation and quickly determined the malicious insider was using a Raspberry Pi to download malware, manipulate session history files, and execute unauthorized software.
While Mandiant has not observed direct espionage or destructive activity, the company warns that IT workers often gain elevated access to company systems and may have the ability to modify code and administer network systems, posing a long-term threat of exploitation or disruption.
Mandiant’s latest revelations include screenshots of fake identities, AI-generated profile pictures, and fraudulent identities featuring stolen details. The resumes include fabricated educational backgrounds and previous work experience, making detection difficult during traditional hiring processes.
Once they land a job, Mandiant notes that the fake workers remotely access victim company laptops situated within a laptop farm staffed with a single facilitator who is paid monthly to host numerous devices in one location.
“Mandiant has identified evidence that these laptops are often connected to an IP-based Keyboard Video Mouse (KVM) device, although a recurring theme across these incidents is the installation of multiple remote management tools on victim corporate laptops immediately following shipment to the farm,” the company said.
“These indicate that the individual is connecting to their corporate system remotely via the internet, and may not be geographically located in the city, state, or even country in which they report to reside,” Mandian said, noting the use of prominent remote administration tools like GoToRemote / LogMeIn, Chrome Remote Desktop, AnyDesk, TeamViewer and RustDesk.
Mandiant said connections to these remote management solutions primarily originated from IP addresses associated with Astrill VPN, likely originating from China or North Korea.
“Feedback from team members and managers who spoke with Mandiant during investigations consistently highlighted behavior patterns, such as reluctance to engage in video communication and below-average work quality exhibited by the DPRK IT worker remotely operating the laptops,” the company said.
Mandiant’s threat hunters also flagged another common characteristic where the North Korean workers typically claimed to live in one location, but requested laptop shipment to another location (laptop farm). “We have observed the DPRK IT workers using the location associated with the stolen identity used for employment, including the stolen driver’s license, which often doesn’t match the location where the laptop is ultimately shipped and stored.”
The company urged target companies to implement stringent background checks, including biometric verification, require on-camera interviews and monitor for the use of AI-generated photos.
As a mitigation, organizations should also be monitoring for abnormal use of remote administration tools and VPN services, conduct periodic spot checks for remote workers to verify physical presence, and train HR and IT teams to identify potential red flags in the hiring process.
Related: KnowBe4 Catches Fake North Korean IT Worker Planting Malware
Related: North Korean IT Workers Infiltrating Hundreds of US Firms
Related: North Korean APT Caught Hacking Security Researchers
Related: Mandiant Catches Another North Korean Gov Hacker Group
Related: North Korean Gov Hackers Caught Rigging Legit Software