When we first touched on the topic of “job fraud,” it was under the rubric of “laptop farms,” which were being exploited by many individuals, including some from North Korea. Since that article, we’ve observed that the situation was reversed; North Korea is at the forefront, and others are following suit, successfully placing individuals into positions within companies and organizations primarily in the United States. This is a multi-prong problem for U.S. companies, and most especially companies that are subject to ITAR and may be supporting the classified workforce (defense/intelligence).
North Korean’s Indicted
The Department of Justice (DOJ) once again highlighted the fraudulent worker methods when they made public the indictment of 14 North Korean nationals on December 12.
The DOJ describes the modus operandi as “false, stolen, and borrowed identities of U.S. and other persons to conceal their North Korean identities and foreign locations and obtain employment as remote information technology (IT) works for U.S. companies and nonprofit organizations.”
The identified fiscal target for the North Korean workers? To generate $10,000 per month. They did that, and more.
DOJ noted that the indicted 14 earned approximately $88 million over the course of six years of employment. In addition, their exposure to personnel, infrastructure, workflow, and intellectual property was and is of immense value. Employers faced extortion from their “employee,” who “threatened to leak” source code and other sensitive company information, unless they made an extortion payment.
Human Resource and FSO takeaway
These fraudulent employees are utilizing laptop farms. All contractors and employees should undergo thorough background investigations; the previous case involved 300 employees who shared the same address. Similarly, as Koo noted, behavior by these employees—socially, online, and engaging normal company support systems—provides insight into their focus—do the job, get the money, and repatriate it to the DPRK (via crypto currency or other financial transfer mechanisms)
What can you do?
Clearance Jobs reached out to Rajan Koo, chief technology officer of DTEX Systems, whose own company fended off a DPRK attempt at illegal employment for comment. Koo shared some insight to help others detect such an attempt. “The Democratic People’s Republic of Korea (DPRK) can deploy complex insider threat tactics that often demand an understanding of employee behavioral analytics to detect potential infiltration beyond security software. Employees involved in roles that require access credentials are more vulnerable to external actors who may exploit insiders, who in turn may breach sensitive data. Thus, it is crucial for organizations to provide comprehensive security training and foster a heightened awareness of potential DPRK-related threats among their staff.”
He continued, “Organizations must closely monitor employees who work on projects that may be linked to DPRK interests, exercising a high level of trust in their employees while monitoring changes in their behavior. For employees, staying informed about the latest policy changes and risk assessments will be critical to ensuring that any work related to DPRK remains in full compliance with security frameworks.”
It is safe to say that this activity is not limited to these 14 indicated individuals, as evidenced by the comment from Special Agent in Charge Ashley T. Johnson of the FBI St. Louis Field Office: “While we have disrupted this group and identified its leadership, this is just the tip of the iceberg. The government of North Korea has trained and deployed thousands of IT workers to perpetrate this same scheme against U.S. companies every day.” Protect your business by thoroughly vetting fully remote IT workers. One of the ways to help minimize your risk is to insist current and future IT workers appear on camera as often as possible if they are fully remote.”
What hasn’t been said is that should these “U.S. persons” be given access to ITAR or other U.S. government-sensitive data, that presents an even more serious can of worms involving compromise.
