How North Korean Operatives Are Exploiting Remote Work to Infiltrate U.S. Companies

What are the red flags that enterprise security or HR teams should look for when vetting remote IT candidates, particularly those sourced through offshore staffing or freelance marketplaces?

The U.S. government has issued multiple advisories (see May 2022, July 2023, October 2023, May 2024 and January 2025) discussing the red flag indicators of the schemes. During the hiring process, the following, among others, may indicate potential North Korean IT worker activity:

·       Unwillingness or inability to appear on camera or conduct video meetings

·       Time, location, or appearance inconsistencies in appearing on camera

·       Indications of using artificial intelligence and face-swapping technology

·       Undue concern about a drug test or in person meetings

·       Inconsistencies in background and contact information across social media and other online profiles and provided resume

·       Indications of cheating when answering employment questionnaires and interview questions

·       Anomalies in communications including usage of virtual phone numbers and emails with suspicious patterns

How do these operations blur the line between cyber and physical security threats? For example, when compromised access credentials or insider activity lead to downstream risks in critical infrastructure or facility systems?

As the cybersecurity and physical systems become increasingly interconnected, malicious actors’ unauthorized access to an organization’s cybersecurity environment may lead to disruption in critical infrastructure or facility system operations. Many of the North Korean remote IT workers thus far have appeared to focus on using their schemes to evade sanctions and generate funds to support its regime and weapons programs rather than inflicting immediate physical harm.

In some cases, however, these workers have used privileged access they gained for illicit purposes, including enabling malicious cyber intrusions by other North Korean actors. Absent appropriate and timely remediation, infiltration of critical networks and disclosure of sensitive information pose threats to operations and physical security. This elevates the importance of using Zero Trust policies to better prepare for each organization against the next move. 

Due diligence and verification

What steps can security leaders take to strengthen identity verification, background screening and vendor management practices to prevent hiring individuals who may be acting under false identities?

Developing and implementing multi-layered protocols is key. Scrutinize and cross-check all available documentation will help identify suspicious candidates. Build in-person meetings with candidates into the hiring process whenever possible.

Where third-party vendors are used, get a thorough understanding of the vendors’ processes, impose additional requirements as appropriate, and regularly audit those vendors. Train all relevant teams involved in hiring and managing remote workers to help detect suspicious activities.

What are the potential legal, reputational or sanctions-related consequences for U.S. companies found to have unknowingly employed or contracted with North Korean nationals?

While criminal charges brought and publicly announced to date tended to focus on the North Korean perpetrators themselves or the U.S.-based individuals who facilitated remote access by operating laptop farms, companies found to have fallen victim to these workers still face a complex set of challenges.

First, even victim organizations may remain involved in the legal proceedings without guarantees of anonymity and may attract media attention, which in turn can shape the public perception of the victim organizations’ cybersecurity posture.

Second, a thorough investigation of unauthorized activities by the malicious actors and other suspicious actors is necessary to address potential cybersecurity and privacy legal risks that may follow. This involves utilizing outside counsel and experts and addressing potential inquiries from law enforcement and regulatory bodies who may be notified.

Third, as the U.S. has a strict liability sanctions regime where the Office of Foreign Assets Control may impose civil penalties for violations regardless of knowledge, understanding the mitigating factors in sanctions compliance enforcement actions and adhering to available guidelines are valuable.

As both the public and private sectors become better educated regarding the North Korean remote IT worker schemes, we will see increased pressure on more organizations to develop and implement appropriate processes to combat these schemes.  

Collaboration and intelligence sharing

How can corporate security, law enforcement and government agencies better collaborate to identify, track and disrupt these state-sponsored operations before they cause damage?

Close coordination across public and private sectors better equip all of us to be better prepared. Coordination starts internally at every organization. Establishing and practicing  appropriate protocols for detecting and responding to incidents allow organizations to navigate the rapidly changing landscape much more smoothly. Take advantage of the trusted advisors working closely with law enforcement and government agencies tracking the threat actors and their latest tactics.

There are also legislative considerations like a more permanent reauthorization of the Cybersecurity Information Sharing Act of 2015 (CISA 2015), with its temporary extension set to expire at the end of January 2026, which would lift some uncertainty around cybersecurity threat information sharing.