Full Report
Here’s what to know about a recent spin on an insider threat – fake North Korean IT workers infiltrating western firms
Analysis Summary
# Threat Actor: North Korean Fake IT Workers (WageMole/UNC5267/Jasper Sleet Overlap)
## Attribution & Identity
The threat involves North Korean nationals gaining employment in Western firms by posing as legitimate IT workers. The related activity is tracked by ESET Research under the name **WageMole**, and overlaps with groups labeled **UNC5267** and **Jasper Sleet** by other researchers. These operations are facilitated by foreign individuals acting as third-party facilitators.
## Activity Summary
This threat, in operation since at least April 2017 (according to an FBI wanted poster), involves infiltrating organizations by securing remote employment under stolen or fabricated identities. Recent examples include an incident in July 2024 where a North Korean worker successfully infiltrated a firm after passing four video interviews and background checks, only to be discovered manipulating files and attempting unauthorized software execution. The scale is significant, with the US government uncovering over 300 victimized companies between 2020 and 2022. Microsoft suspended 3,000 email accounts linked to these jobseekers. The focus has recently shifted beyond the US to include Europe (France, Poland, Ukraine), with the UK also being targeted.
## Tactics, Techniques & Procedures
- **Identity Spoofing/Fabrication:** Creating or stealing identities (including establishing associated email, social media, and developer platform profiles like GitHub) matching the target location.
- **Pre-Employment Deception:** Utilizing AI-driven techniques such as deepfake images, video manipulation, face swapping, and voice-changing software to disguise identity during interviews.
- **Facilitation:** Employing foreign facilitators to handle key setup tasks: creating job platform accounts, setting up bank accounts (or lending their own), buying local SIM cards, and validating fraudulent identities during background checks.
- **Insider Activity (Post-Infiltration):** Once hired, attempting to transfer potentially harmful files or execute unauthorized software.
- **Development Pretext (Related):** Overlapping activity linked to the **DeceptiveDevelopment** campaign involves tricking developers with fake jobs where the coding challenge projects actually contain trojanized code, allowing the actor to steal developer identities for use in fake worker schemes.
## Targeting
- **Sectors:** Broadly targeting technology and IT sectors, particularly firms needing remote workers (including Fortune 500 companies).
- **Geography:** Primarily the US, with recent expansion targets including Europe (France, Poland, Ukraine) and the UK.
- **Victims:** Over 300 companies victimized between 2020 and 2022 in the US alone. One specific vendor, KnowBe4, was cited observing a recent attempt.
## Tools & Infrastructure
- **Identity Cloaking:** Deepfake imagery, face swapping, voice changing software.
- **Infrastructure Support:** Use of bank accounts and mobile numbers/SIM cards procured by facilitators.
- **Malware Families Used:** Trojanized code embedded in pre-interview coding challenges (related to DeceptiveDevelopment).
- **Infrastructure (C2, domains, IPs):** Laptops may authenticate from **Chinese or Russian IP addresses** after infiltration.
## Implications
This represents a persistent and sophisticated form of insider threat where adversaries are exploiting global remote hiring trends, often leveraging advanced AI tools to defeat traditional identity verification methods. The objective is likely espionage, data theft, or sabotage once privileged access is granted. The involvement of external facilitators points to a well-organized, state-sponsored, or financially motivated criminal enterprise supporting these infiltrations.
## Mitigations
- **Enhance Pre-Hire Vetting:** Be hyper-vigilant during interviews. Treat claims of malfunctioning cameras or requests to turn off background filters as major red flags.
- **Deepfake Detection:** Actively look for visual glitches, stiff facial expressions, and audio/lip-sync errors during video interviews.
- **Cultural Context Checks:** Ask location- and culture-based questions concerning local customs (e.g., food or sports) to test the candidate's claimed origin.
- **Monitor Employee Behavior:** Watch for immediate red flags post-hire, such as swift downloading of Remote Monitoring and Management (RMM) software onto new laptops, work performed suspiciously outside normal office hours, and authentication originating from unusual locations (e.g., Chinese or Russian IPs).
- **Technical Monitoring:** Use insider threat tools to monitor for anomalous activity, specifically unusual logins, large file transfers, or atypical access patterns.
- **Containment Protocol:** If infiltration is suspected, limit access to sensitive resources cautiously to avoid tipping off the actor, preserve evidence, and only involve a small, trusted team from IT security, HR, and legal before reporting to law enforcement.