North Korean IT Worker Threat: 10 Critical Updates to Your Hiring Process

KnowBe4 was asked what changes were made in the hiring process after the North Korean (DPRK) fake IT worker discovery. Here is the summary and we strongly suggest you talk this over with your own HR department and make these same changes or similar process updates. If you are new to this story, here is the original post.

Question: What remediations were put in place from this incident? 

Answer:  Please note that our cybersecurity controls in this matter were effective at quickly detecting, stopping, and remediating the incident in a very timely manner (under 30 minutes). No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems. This is not a data breach notification, there was none. See it as an organizational learning moment we are sharing with you. If it can happen to us, it can happen to almost anyone. Don't let it happen to you. There are still many companies out there who are unaware a DPRK IT worker is in their environment after months. 

Question: We would like to know more detail about changes in the recruitment process itself. For instance, are you interviewing in person now?

Answer: We are not requiring in-person interviews for all hiring, as this is a process that will not scale and we do not have all staff in-office. This is also not a requirement of many other tech companies that hire remote workers, one of which reached out to me after reading our article on the topic to discuss their challenges and what they implemented on their side as well to prevent the threat.

Question:  What has KnowBe4 changed their hiring process? 

Answer: - We have made the following 10 immediate changes to our hiring and recruitment process. Some of these changes include recommendations provided by threat intelligence partners and other security companies facing the same issues:

1. We have trained all recruiters and onboarding staff of the common red flags seen in DPRK IT worker resumes and how to identify them. (Such as the way an email address is structured for an applicant and/or references).
2. We have provided the recruiting staff access to a phone carrier lookup and screening tool to identify if phone numbers provided on resumes or for professional references are cell phone or VOIP based as this is a common trait seen in DPRK applicants is to use VOIP phone numbers -- NOTE that using the two indicators above has led to the identification of other applicants in our system so we could avoid wasting time on selecting them for interviews or proceeding further. These have also been used as further training for the recruiting team on what to look out for.
3. We have started requiring that all professional reference screening must include a phone based screening instead of email or phone (in our incident only email screening was performed).
4. The recruiting staff is trained on searching for the presence of the applicant's professional public profile (social media accounts like facebook, linkedin, instagram). As the lack of or the generic nature of them can be an indicator.
5. We are in the process of changing the providers who perform our Identify verification and background screening at the recommendation of threat intelligence partners. We will be using technology similar to that which is used to perform ID verification checking at US airports to identify fake or forged ID's and image/facial recognition mismatching.
6. We have always and still will require virtual meeting interviews for candidates with 'video-on' as a requirement. In addition to video-on we ask that the applicant turn off any background fuzzing or filtering so we have a clear look at the environment they are in (this can also be an indicator, a hesitancy to use video on and to not show their actual surroundings clearly).
7. If recruiters have continued suspicion while on an interview, they are trained to ask certain questions that are more casual in nature and not about the professional aspects of the resume. This can be an indicator for questions like 'I see you are from Seattle, what's your favorite place to eat and what do you usually get?'. A person who actually spent time in Seattle would know this answer very easily while if this information is false on a resume then their answer will be very difficult for them to come up with.
8. If at any point in the interview process anyone on the recruiting team becomes suspicious of a candidate they know they are to reach out to the CISO personally and I will consult with them on the case.
9. We will only ship equipment to a location that is indicated on the person's application, or to a UPS store location near them that requires an ID verification of the person we are sending the equipment to. (Note this step would have prevented our incident as standard UPS shipping to a residential address can be signed for by anyone at that address. This is also how we were able to identify the location of the Laptop Farm and the US person who was assisting the DPRK. All of this information has been turned over to the FBI as the Laptop Farm location we discovered was the first of its kind in that state). This step is only done after all of the other ID verification, background check, etc, has been completed.
10. The recruiting staff does internet searching of addresses provided on the resume for anyone they become slightly suspicious of, which can include public property records searches, state and county court records, etc. This is an effort to ensure the person is who they say they are and are from where they say they are from.
    

Question: The interview process for the individual who was linked to working with the North Korean groups is confusing; they had stolen the identity of a US citizen and had several video interviews – did they use deep fake AI technology for this?

Answer: No, we have no reason to believe AI was used in the resume or interview process. Only the picture provided for the employee HRIS system was modified. As we indicated in our articles and as further indicated in the writeups by Crowdstrike and Mandiant, the DPRK IT workers scheme normally involves a valid ID that has been modified in some way. This ID is either obtained by using readily available breached identities from the dark web, or they are provided willingly by a US person for compensation. There has been no indication thus far that any deep fake or AI is used in the interview process. In our case, the person who was 'on-video' during the interviews was of Asian descent and spoke very good English with an Asian accent and knew their resume very well. Race or accent is not an indicator that someone is a threat. The US Civil Rights Act does not permit hiring discrimination based on race and nationality as well as other factors. The person on the interview very likely had worked at the places provided on the resume and had performed the work as stated on their resume.

Question: Is that how they managed to fake the image they submitted as their ID too?

Answer: No. The ID was a valid ID of a US person and the picture was the only thing changed. We believe it was modified using the technology available to the DPRK government. They are often very good at this and the forgeries can be extremely difficult to detect. We performed data sharing with threat intelligence partners on this topic and they indicated that the ID we received was of higher quality forgery than the ones they had received.

Question: If so, what measures are you putting in place for remote interviews now to ensure this doesn’t happen again?

Answer: As stated in the bullet points above, one of the changes we are making is not relying on the US government I9 e-verify system and we are going to use a third party firm who specializes in identifying ID forgeries and performing matching of ID to human using facial recognition technology similar to ID.me used by the IRS and other organizations. This is the company recommended to us by the experts in detecting DPRK IT worker threats.

Question: Having a picture ID to pick up their laptop could also be faked – what else is being put in place please?

Answer: One thing to keep in mind is that the DPRK IT worker threat is very well equipped (backed by a very cyber capable country and government) and their tactics will change as controls become implemented. We are aware of individuals finding ways around in-office-in-person equipment pickup and in-person drug screenings. We believe that in order to truly prevent this we need a hiring team that is aware of the evolving threat and the indicators to look out for throughout the entire screening/interview/application process (which we have done). We continue to data share with our threat intelligence partners. We also continue to adjust our technical cyber controls and indicators of compromise as new information becomes available so we can catch not just DPRK threats but other insider threats that may present themselves.