Georeactor Blog

RSS Feed

You probably don't have North Korean coworkers



Tags: prosecybersecurity

Recently Wired had an article North Korea Stole Your Job, and this comes with other press in Cyberscoop, The Register, Fortune, and CBS News (with the Kraken crypto exchange). Although the DPRK infamously has hackers who steal cryptocurrency, the country also wants to place coders in conventional tech jobs for a clean paycheck.

Cybersecurity company Cinder had a post last August about ID-ing their North Korean applicants, with points including:

So you might say, hey I don't need to know if this candidate is tied to North Korea, because why would they be hired at all?
Cyberscoop got some choice quotes:

"There are hundreds of Fortune 500 organizations that have hired these North Korean IT workers," Mandiant Consulting CTO Charles Carmakal said […]
"Literally every Fortune 500 company has at least dozens, if not hundreds, of applications for North Korean IT workers,"
[…]
"If you're not seeing this, it's because you're not detecting it, not because it's not happening to you," Mulholland said.
[…]
Insider risk management firm DTEX recently told CyberScoop that 7% of its customer base, representing a fair cross-section of the Fortune 2000, have been infiltrated by North Korean operatives working as full-time employees

When I first read these quotes they describe a pervasive problem, but re-reading, the claim is less clear. There are estimates which count applications, or hires, estimates for the Fortune 500 and Fortune 2000. Are these estimates even compatible with each other?

Let's think about a different hiring problem: there are rumors and Reddit threads about people who hired someone to do their interview (HN comments, Reddit bestof). This is something which I can believe is real, even if it's rare and I didn't experience it personally.
This story starts a little like a North Korean contract scam, but OP believes their goal was to take out loans. A story of a fake tech applicant is so familiar to the recruiting subreddit, the OP has to dispel a stereotype about them:

Also, this person was not Indian just FYI for all of you that insist they are Indian lol.

For some reason, we don't have as many stories circulating in the IT industry about North Korea. I think that the press is doing a massive disservice in describing what the approach looks like. Here are three real things:

First, back in 2020 I got the pitch from a company which now has OFAC sanctions:

My name is Jin and I found your contact in Github. I am running software and electronic R&D business in South Korea and China and now I am going to expand this business to the US.

This sounds like the setup for what three Americans have been arrested for in the past year. They set up a "laptop farm", VPN, and possibly help with interviews or identities for the North Korean tech workers

This is a lot closer business model to the interview frauds, or to scammers who convince desperate people to cash bad checks and wire the money overseas.

Second, cryptocurrency companies are much juicier targets for North Korea. That's why Kraken's candidate bothered to appear on video for a real interview. That guy would not get called in for a basic web dev job.

Here's another example:

About 95% of the résumés Harrison Leggio gets in response to job postings for his crypto startup g8keep are from North Korean engineers pretending to be American, the founder estimates

95% is a lot! If 20% happened at your office, you wouldn't be hearing about it first on the news.

Cybersecurity company KnowBe4 is the only company which I've seen disclose actually hiring a North Korean hacker. The candidate participated in video interviews and used a false identity. The hacker had suspicious activity soon after getting their work laptop, which suggests that they weren't after a normal 9–5? Maybe they thought that this would give them access to source code or licenses for other hacks?

Third, it's an almost certainty that lower-level employees in North Korea would use gig platforms like UpWork or Fiverr. There are plenty of smaller businesses and offices looking for the lowest bidder. When I did contract work for a non-profit, we found a coder in Central America through some calls and a few questions on their work experience. So how come none of these articles talk about gig platforms?

People who actually work on sanctions and fraud likely have a good handle on this. Just as someone who reads too much about North Korea, I don't want to read this fake shit.

A CrowdStrike exec said they can totally eliminate North Korean applicants by making a joke about Kim Jung Un. Of course, The Register article title is The one interview question that will protect you from North Korean fake workers. But this is just something stupid that they do for fun. They detect them with some of the red flags mentioned in the beginning by Cinder:

"…you'll have a person in Poland applying with a very complicated name," he recounted, "and then when you get them on Zoom calls it's a military age male Asian who can't pronounce it."

If I wanted to spawn a conspiracy, I would suggest that cybersecurity companies are getting applications from the 'B team' to mislead everyone and help the 'A team' get through? Food for thought.