RSAC Concerned a new recruit might be a North Korean stooge out to steal intellectual property and then hit an org with malware? There is an answer, for the moment at least.

According to Adam Meyers, CrowdStrike’s senior veep in the counter adversary division, North Korean infiltrators are bagging roles worldwide throughout the year. Thousands are said to have infiltrated the Fortune 500.

They’re masking IPs, exporting laptop farms to America so they can connect into those machines and appear to be working from the USA, and they are using AI – but there’s a question during job interviews that never fails to catch them out and forces them to drop out of the recruitment process.

“My favorite interview question, because we’ve interviewed quite a few of these folks, is something to the effect of ‘How fat is Kim Jong Un?’ They terminate the call instantly, because it’s not worth it to say something negative about that,” he told a panel session at the RSA Conference in San Francisco Monday.

Meyers explained the North Koreans will use generative AI to develop bulk batches of LinkedIn profiles and applications for remote work jobs that appeal to Western companies. During an interview, multiple teams will work on the technical challenges that are part of the interview while the “front man” handles the physical side of the interview, although sometimes rather ineptly.

“One of the things that we’ve noted is that you’ll have a person in Poland applying with a very complicated name,” he recounted, “and then when you get them on Zoom calls it’s a military age male Asian who can’t pronounce it.” But it works enough that quite a few score the job and millions of dollars are being funneled back to North Korea via this route.

Once placed in the coveted role, such workers are usually very successful in the company, since they have multiple people working on one job to produce the best work possible – with the hope of getting promotion and more access to the business’ systems – explained panelist FBI Special Agent Elizabeth Pelker.

“I think more often than not, I get the comment of ‘Oh, but Johnny is our best performer. Do we actually need to fire him?” she said.

The aims of these phony workers are two-fold, she explained. Firstly, they earn a wage and use their access to steal intellectual property from the victim. This is usually exfiltrated in tiny chunks so as to not trigger security systems.

One mitigation strategy, she said, was to insist that any interviewee performed coding tests within the corporate environment. These allow the actual IP being used to get checked, interviewers to see how often the prospect is switching between screens, and can allow other clues to leak out that all is not as it seems.

If the interloper is exposed and fired, however, they will usually have already collected login details, planted unactivated malware, and will then attempt to extort the maximum they can from the victim. She urged anyone who spots a fake employee to contact their local FBI field office immediately.

The Red Queen’s race

But the attackers are getting smarter, and in some ways the FBI is a victim of its own success.

The agency has been distributing advice to US companies but these memos are also being read in Pyongyang and the workers are adapting their tactics. This sometimes involves using both aware and unwitting accomplices.

For example, to get around the IP address problem, laptop farms are springing up over America. If an applicant gets a job, the firm will usually send him a laptop, at which point the interviewee explains that they’ve moved or have a family emergency, so could they send it to a new address please?

This is most likely a laptop farm, where someone in the US agrees to run the laptop from a legitimate address for a fee, typically around $200 a computer, according to Meyers. Last year the FBI busted one such operation in Nashville, Tennessee, and charged the operator with conspiracy to cause damage to protected computers, conspiracy to launder monetary instruments, conspiracy to commit wire fraud, intentional damage to protected computers, aggravated identity theft, and conspiracy to cause the unlawful employment of aliens.

Rather than creating identities, the North Korean workers have now taken to either stealing the ones they want, or fooling people into handing them over for a good cause. There’s a growing business in Ukraine of convincing people to share their identity with third parties under the pretext of using them against Chinese agents who are propping up Russia.

“Unfortunately, because this is supporting North Koreans, the money then goes back through to filter through to North Korea regime,” said Chris Horne, senior director at jobs site Upworthy. “Then, in turn, it goes to support the troops that come back in through Russia. So they’re basically paying for their own demise in Ukraine right now.”

We’ve also seen deepfake job interviewees that are good enough to fool IT professionals, sometimes more than once. This technology is only improving and will get more and more convincing, Pelker warned.

The key to fixing this, the panelists agreed, was to educate everyone in the interview process – right down to the lowest staffer – and to be hyper vigilant for warning signs. If possible, they said, one should have someone local swing around for a personal meeting, and maybe also avoid hiring fully remote employees. ®