Mandiant uncovers North Korean scheme to infiltrate IT departments

Mandiant has revealed a sophisticated scheme involving North Korean IT workers successfully securing remote employment at major companies worldwide. These workers use stolen identities and collaborate with local facilitators to infiltrate organisations, often taking on multiple jobs simultaneously. The operation is believed to be orchestrated by the Democratic People's Republic of Korea (DPRK), and the revenue generated by these fraudulent employees supports the country's sanctioned activities, including its weapons programmes.

According to Charles Carmakal, Chief Technology Officer of Mandiant Consulting at Google Cloud, the risks posed by these workers extend beyond financial gain. "I've spoken to dozens of Fortune 100 organisations that have unknowingly hired North Korean IT workers," Carmakal stated. He raised concerns about these workers gaining elevated access to systems, potentially inserting backdoors or malicious code into critical software.

Michael Barnhart, Principal Analyst at Mandiant, expressed deeper concerns. "The biggest threat is if these workers receive orders from the North Korean regime to launch a wide-scale cyberattack. They could deploy ransomware or disable major organisations across the US and Europe overnight," Barnhart warned. He emphasised the importance of collaboration among businesses to detect and eliminate this threat.

Mandiant's blog post, "Staying a Step Ahead: Mitigating the DPRK IT Worker Threat," outlines the tactics used by these workers. Methods include leveraging front companies, using fake identities, and receiving assistance from local facilitators who provide services such as laundering payments and receiving corporate laptops. Facilitators often maintain "laptop farms," hosting multiple devices connected remotely by the North Korean workers. The blog also describes the involvement of stolen credentials and fabricated résumés to secure jobs, with discrepancies often found in educational history and employment records.

The threat group tracked by Mandiant as UNC5267 has been operational since 2018. Their goal includes long-term access to corporate networks for potential espionage or disruptive activities, although no confirmed cases of espionage have been observed so far. Mandiant's findings show that these workers often avoid video communication, exhibit poor work quality, and request laptop shipments to locations unrelated to their reported residence.

To combat the threat, Mandiant recommends stricter candidate vetting processes, including biometric checks, mandatory video interviews, and rigorous background checks. Businesses are urged to implement proactive threat-hunting strategies and share information with security vendors to better protect themselves from these increasingly sophisticated attacks.

North Korea's reliance on cyber operations to generate revenue and evade sanctions continues to pose a major challenge, with Mandiant stressing the need for vigilance and collaboration across the cybersecurity community to address this evolving threat.