Pyongyang on the payroll? Signs that your company has hired a North Korean IT worker | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/north-korean-it-workers-secureworks-report\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Pyongyang on the payroll? Signs that your company has hired a North Korean IT worker\"> <meta property=\"og:description\" content=\"SecureWorks has released research that dives into the tell-tale behaviors behind remote employees that may be working on behalf of North Korea.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/north-korean-it-workers-secureworks-report\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-10-16T23:23:24+00:00\"> <meta property=\"article:modified_time\" content=\"2024-10-17T14:43:12+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/pyongyang-on-the-payroll-signs-that-your-company-has-hired-a-north-korean-it-worker-1.png\"> <meta property=\"og:image:width\" content=\"1029\"> <meta property=\"og:image:height\" content=\"516\"> <meta property=\"og:image:type\" content=\"image\/png\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1725982252g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1728928671g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1729103471g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/82181\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=82181\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korean-it-workers-secureworks-report%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnorth-korean-it-workers-secureworks-report%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82181 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/north-korean-it-workers-secureworks-report\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.409810126582\">\n<div class=\"single-article__header-content\" readability=\"33.823255813953\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> SecureWorks has released research that dives into the tell-tale behaviors behind remote employees that may be working on behalf of North Korea. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/82181\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"321\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/pyongyang-on-the-payroll-signs-that-your-company-has-hired-a-north-korean-it-worker.png?resize=640%2C321&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/pyongyang-on-the-payroll-signs-that-your-company-has-hired-a-north-korean-it-worker-1.png 1029w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/pyongyang-on-the-payroll-signs-that-your-company-has-hired-a-north-korean-it-worker-1.png?resize=300,150 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/pyongyang-on-the-payroll-signs-that-your-company-has-hired-a-north-korean-it-worker-1.png?resize=768,385 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/pyongyang-on-the-payroll-signs-that-your-company-has-hired-a-north-korean-it-worker-1.png?resize=1024,513 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/pyongyang-on-the-payroll-signs-that-your-company-has-hired-a-north-korean-it-worker-1.png?resize=600,301 600w\" sizes=\"(max-width: 1029px) 100vw, 1029px\"><figcaption> The original stock picture (left) and an AI fake (right) used by a North Korean threat actor who posed as a U.S.-based software engineer and was hired by the cyber firm KnowBe4. (Photo credit: KnowBe4) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"57.229915966387\"><body readability=\"115.27165281625\"><\/p>\n<p>If your remote employee insists on using their own devices, won\u2019t show up on webcam and frequently changes their payment services, you may have accidentally hired a North Korean operative.<\/p>\n<p>Those are some of the tactics wielded by the actors behind what Secureworks refers to as Nickel Tapestry, a group known for planting fake IT workers at Western commercial companies to raise money for North Korea\u2019s nuclear weapons programs, according to new research from Secureworks.<\/p>\n<p>Based on numerous incident response engagements, <a href=\"https:\/\/www.secureworks.com\/blog\/fraudulent-north-korean-it-worker-schemes\">the findings<\/a> detail a range of tactics used by the group to infiltrate companies in the U.S., U.K. and Australia on behalf of North Korea, often for profit. While the identities of the impacted firms were withheld, the research reveals common behaviors and techniques that could help cybersecurity professionals sniff out possible imposter employees.<\/p>\n<p>Most of the time, the primary objective behind these schemes was simply drawing a salary for as long as possible, money that federal authorities and other experts say usually goes directly to funding North Korea\u2019s nuclear weapons program. But Secureworks said these employments sometimes morphed into broader efforts to thieve intellectual property data or extort the companies for larger payments.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>In one instance, a hired worker used their employer\u2019s virtual desktop infrastructure to access and steal proprietary data. When they were eventually fired for poor performance, they attempted to ransom the stolen data back to the company for hundreds of thousands of dollars in cryptocurrency.<\/p>\n<p>Secureworks also observed the group taking extensive efforts to avoid using corporate laptops, while obfuscating their real location. In some cases, the workers requested permission to use their own personal laptops or virtual desktop infrastructure. Others would simply change the delivery address to send their work device to a laptop farm masked with a U.S. IP address, a technique that was also<a href=\"https:\/\/www.ic3.gov\/PSA\/2023\/PSA231018\"> highlighted<\/a> in an FBI advisory released last year.<\/p>\n<p>When they were forced to use corporate work devices, the plants would often cite technical issues to avoid showing up on webcams for work meetings. There is also evidence that some used virtual video-cloning software and other tools.<\/p>\n<p>\u201cBased on these observations, it is highly likely that the threat group is experimenting with various methods for accommodating companies\u2019 requests to enable video on calls,\u201d Secureworks\u2019 counter threat unit research team wrote.<\/p>\n<p>The group also created entire fake networks of employees and companies to provide operatives with work references, redirect payments and, in at least one case, replace other operatives once they were fired or left a company. Oftentimes these operatives use similar email and resume formats, or display multiple writing styles, indicating that each persona may have more than one operative behind it.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>To sidestep detection by banks, these workers would sometimes rapidly update their bank accounts or use digital payment services like Payoneer. A spokesperson for Payoneer told CyberScoop that the company \u201chas worked proactively to combat\u201d the threat of financial crimes by North Korean operatives posing as IT workers and continues to \u201cwork closely with regulators and law enforcement agencies on an ongoing basis.\u201d<\/p>\n<p>Other common behaviors associated with campaign operatives were listing between 8-10 years of work experience, communicating at odd times of day that don\u2019t match their listed location or time zone, demonstrating novice or intermediate English skills and sounding like \u201cthey are speaking from a call center environment.\u201d<\/p>\n<p>While each behavior is typically harmless and common among global remote IT workers, when combined, they might suggest a company has unknowingly hired a North Korean agent.<\/p>\n<p>Due to international sanctions limiting traditional business avenues, North Korea increasingly uses cybercrime and operations like Nickel Tapestry to fund its military and weapons programs.<\/p>\n<p>In 2022, the FBI, Treasury Department and State Department put out a public warning<a href=\"https:\/\/ofac.treasury.gov\/media\/923126\/download?inline\"> calling<\/a> North Korea\u2019s IT worker infiltration program \u201ca critical stream of revenue\u201d for the regime. Employees placed at Western firms \u2014 who are actually based in China or Russia \u2014 are able to make as much as $300,000 a year, and often make 10 times the income they would earn as an average factory or construction worker inside North Korea.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>North Korean leader Kim Jong Un has heavily invested in IT infrastructure inside the country, which is used to foster the skill sets needed to obtain employment overseas, including establishing rigorous IT degree programs within North Korea and training at regional IT research centers abroad. <\/p>\n<p>Cybersecurity experts believe the practice is more widespread than the public understands. Researchers at Mandiant and Google Cloud<a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/mitigating-dprk-it-worker-threat\"> said<\/a> last month that these workers often have multiple jobs with different organizations and maintain high-level access to production systems and source code, potentially enabling future cyberattacks on company infrastructure.<\/p>\n<p>\u201cI\u2019ve spoken to dozens of Fortune 100 organizations that have accidentally hired North Korean IT workers,\u201d Charles Carmakal, the firm\u2019s chief technology officer, said in a statement last month.<\/p>\n<p><em>This story was updated Oct. 17, 2024, to add comments from Payoneer.<\/em><\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.6629213483146\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/pyongyang-on-the-payroll-signs-that-your-company-has-hired-a-north-korean-it-worker.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/north-korean-it-workers-secureworks-report\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pyongyang on the payroll? Signs that your company has hired<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,647,2911,2912],"tags":[286,240,2913,2914],"class_list":["post-5807","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-north-korea","category-north-korean-it-workers","category-secureworks","tag-cybercrime","tag-north-korea","tag-north-korean-it-workers","tag-secureworks"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korea\/\" rel=\"category tag\">North Korea<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/north-korean-it-workers\/\" rel=\"category tag\">North Korean IT workers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/secureworks\/\" rel=\"category tag\">Secureworks<\/a>","tag_info":"Secureworks","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5807"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5807\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":5807,"date":"2024-10-16T18:23:24","date_gmt":"2024-10-16T23:23:24","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=82181"},"modified":"2024-10-16T18:23:24","modified_gmt":"2024-10-16T23:23:24","slug":"pyongyang-on-the-payroll-signs-that-your-company-has-hired-a-north-korean-it-worker","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/16\/pyongyang-on-the-payroll-signs-that-your-company-has-hired-a-north-korean-it-worker\/","title":{"rendered":"Pyongyang on the payroll? Signs that your company has hired a North Korean IT worker"},"content":{"rendered":"