Pierluigi Paganini
March 04, 2025
In an increasingly connected and digitalized world, companies are facing new security challenges. The insider threat, or the risk that an employee could harm the company, is a growing concern. This risk is amplified by the phenomenon of digital nomads and smart working, where employees may never physically meet.
Hiring practices are the first line of defense against insider threats. A thorough screening process can help identify potential risks before they become real problems. According to a report by the Intelligence and National Security Alliance, engaging the human resources department in a multidisciplinary approach to monitoring and mitigating insider threats is critical. This approach not only considers technical indicators, but also human behavioral factors.
Infiltrations
In recent years, North Korea has developed a sophisticated strategy to infiltrate Western companies through highly skilled IT workers. These individuals, often operating under false identities, are able to obtain remote positions or freelance contracts, contributing both to the North Korean regime’s illicit revenue and cyber espionage activities.
In a report, cybersecurity firm Secureworks exposed a tactic employed by the North Korean hacker group known as Nickel Tapestry. Using stolen or fake identities to fool HR departments at companies in the United States, the United Kingdom, and Australia, the fake workers often applied for developer positions, using a variety of tactics to evade and conceal their locations and intentions. For example, they requested changes to delivery addresses for company laptops, sometimes expressing a preference for using personal laptops and virtual desktop infrastructure setups, following a scheme previously reported by the FBI. In essence, after infiltrating companies by posing as legitimate smart workers, they stole sensitive data and then demanded a ransom. In one particular case, the report believe that a single individual adopted multiple personas to promote the scam, using a “Laptop Farm” specifically configured to hide the real geolocation of the various remote workstations.
Last summer, finally, North Korean hackers allegedly attempted another hiring scheme, this time targeting a well-known cybersecurity company based in the United States. In this case, the infiltrator, after managing to obtain a job as an IT worker, allegedly managed to install malware on a Mac workstation provided by the company, with the intent of compromising the systems.
“The way it works is this: The fake worker asks to have their workstation delivered to an address that is basically an IT mule laptop farm. They then connect via VPN from wherever they are physically located (North Korea or across the border in China) and work at night so that it appears as if they are working during the day in the United States. The scam is that they actually get paid well and give a large amount of money to North Korea to fund their illegal programs,” explains Stu Sjouwerman of Knowbe4, “Our audits caught it, but it was definitely a learning moment that I am happy to share with everyone.”
Implications
The infiltration of IT workers with fraudulent or espionage purposes and perhaps belonging to “nation-state” affiliations poses a serious threat to national and corporate security. These individuals not only generate significant revenue for their regime, but can also access sensitive and critical information, putting the cybersecurity of the victim companies at risk. To avoid the infiltration of these moles, companies can take measures such as implementing more rigorous vetting processes to confirm the identity and qualifications of candidates, using monitoring tools to detect suspicious or unauthorized activity in company systems, and educating human resources employees on the risks associated with infiltration and how to recognize potential threats.
In conclusion, strengthening hiring practices is essential to protecting companies from insider threats. A holistic approach involving HR, security, and other stakeholders can create a safe and productive work environment. In an era of digital nomads and remote working, it is more important than ever to be vigilant and proactive in managing internal risks.
About the author: Salvatore Lombardo (X @Slvlombardo)
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, risk)
