Extra Advice on the IT Workers in North Korea

The Republic of Korea (ROK) and the United States (US) are revising earlier alerts and guidelines to the public, private sector, and international community to better understand and prevent the unintentional hiring, recruiting, and facilitation of IT workers from the Democratic People’s Republic of Korea (DPRK, also known as North Korea). To help companies avoid hiring DPRK freelance developers and to assist freelance and digital payment platforms in identifying DPRK IT workers abusing their services, the U.S. and ROK governments released public advisories in 2022 that included detailed information on how DPRK IT workers operate as well as red flag indicators and due diligence measures.

In addition to new indicators of possible DPRK IT worker activity and additional due diligence steps the public, business sector, and international community can take to stop hiring DPRK IT workers, this update identifies new tradecraft used by DPRK IT workers since the release of the 2022 advisories. Employing or assisting DPRK IT professionals still carries numerous hazards, from reputational damage and legal repercussions—including sanctions under U.S., ROK, and UN authorities—to theft of intellectual property, data, and finances.

Additional Red Flag of Possible Activities From IT Workers in the DPRK:

• The unwillingness or inability to participate in video conferences, interviews, or appearances on camera; discrepancies in their appearance, time, or location when they appear on camera.
• Excessive worry about being unable to attend in-person meetings or drug test requirements.
• Signs of cheating when completing employment surveys and interview questions or when taking coding examinations. These can include hesitating, prolonged pausing, eye scanning gestures that suggest reading, and providing false information that sounds plausible.
• Social media and other online accounts that don’t correspond with the CV that was provided by the employed person, as well as many profiles for the same identity that have various images or none.
• When laptops or other company materials are provided, the home address is either a freight forwarding address or quickly changed upon hiring.
• Repeated requests for prepayment.
• Threats to disclose confidential source codes if further payments are not received.
• Account problems with different providers, account changes, and demands to use new payment methods or freelancing businesses.
• Although the person claims to be from a non-Korean-speaking country or region, their preferred language is Korean.

Extra Steps Companies Seeking Independent Contractors Should Take to Avoid Accidentally or Inadvertently Hiring DPRK IT Workers

• If you use outsourcing or third-party staffing organizations, ask for documentation of their background check procedures. If a corporation cannot give this, presume it did not perform the background check and perform your own.
• Perform due research on the candidates the company sends you if you are hiring a staffing agency or outside software developers for IT services. You might not completely comprehend a company’s background check procedure even if you research it.
• Documentation from background checks supplied by unknown or unreliable authorities should not be accepted. Instead of having their local authorities complete a background check, provide them a release form authorizing you to perform the background check on their behalf.
• Ask their banking institution for certified copies of their account information or voided checks.
• Ensure the routing and check numbers match an actual bank and are not associated with a money service company. Receiving depository financial institutions (RDFIs), which offer routing and checking data that resembles accurate banking data, are used by money service companies.
• Keep track of everything you do with prospective workers, including video interview recordings.
• Forbid the usage of remote desktop software for work purposes and stop the remote desktop protocol from being utilized on any company-owned computers.
• On company devices, install software that monitors insider threats and disables all administrative permissions.
• Make sure that company devices are sent with a signature and not mailed to addresses other than where they should be used.
• Obtain notarized identification documents.
• Require people to physically hold their passports, driver’s licenses, or other identity documents up to the camera during the video verification process. Think about pointing the camera outside so they can reveal where they are.
• Make sure the company laptops’ GPS locations correspond with the employees’ login credentials regularly.
• Demand that independent contractors turn off business VPNs to access company networks.
• Implement need-to-know and zero-trust policies. If possible, refrain from giving access to confidential information.
• Use only trustworthy online freelance marketplaces that provide thorough methods for confirming the names and credentials of independent contractors.
• Avoid directly hiring freelancers through online IT competitions and take extra precautions to confirm their identity.

The Advisory on DPRK IT workers will be useful in creating a more dependable and safer online freelance work environment. Additionally, it should help stop the DPRK from receiving illegal foreign currency earnings, which are used to fund the development of its nuclear and missile programs. The ROK administration will persist in increasing awareness of DPRK IT professionals domestically and internationally in close collaboration with the international community. Additionally, we will continue improving the due diligence that freelance IT job platforms and client organizations do. People should report to the police, the Ministry of Foreign Affairs, and other appropriate agencies if they have information about illicit DPRK actions, including DPRK workers hiding their nationality and identity to secure employment contracts from enterprises. At SpearTip, our cybersecurity awareness training educates individuals and organizations about best cybersecurity practices and provides the knowledge and skills to protect their systems and data from cyber threats. Our training covers password security, phishing scams, social engineering, malware, data protection, and network security. By providing cybersecurity awareness training, organizations, and their employees can better understand the risks of the cyber landscape and develop impactful cybersecurity practices that reduce the likelihood of cyberattacks. Cybersecurity awareness training is an essential component of any comprehensive strategy to protect sensitive information, such as personal data, financial information, or intellectual property, and to prevent data breaches, system downtime, and other negative consequences that can result from cyberattacks.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.