Are Your Remote Workers a Threat? FBI Alerts Companies to North Korean Cyber Risks

Are your remote workers really who they say they are? Are they working for you or against you?

On January 23, the FBI updated its guidance from May 2024 regarding North Korean IT workers to raise public awareness of their increasingly malicious activities, which now include data extortion. In recent months, the FBI observed North Korean IT workers exploiting unauthorized access to company networks to extract proprietary and sensitive data, enable cybercriminal activities, and perform revenue-generating operations for the regime.

Justice Department Indicts Two North Korean Nationals

The warning comes on the same day the U.S. Department of Justice announced the indictment of five individuals, including two North Korean nationals, for fraudulently obtaining remote work credentials from U.S. companies to generate revenue for North Korea. From approximately April 2018 through August 2024, the defendants and their unindicted co-conspirators obtained work from at least 64 U.S. companies. “The indictments announced today should highlight to all American companies the risk posed by the North Korean government,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.

North Korean IT Workers Exploit Networks for Ransom and Data Theft

In some cases, the fake IT workers publicly released sensitive company code when ransom demands were unmet. Their tactics include copying entire code repositories, such as those on GitHub, to their own user profiles and personal cloud accounts, posing a significant risk of intellectual property theft at scale.

These bad actors may also try to harvest sensitive company credentials and session cookies. They can then initiate work sessions from unauthorized devices, creating even more opportunities for network compromise and long-term security breaches.

Protecting Your Business: Smart Data Monitoring Strategies

Proactive monitoring can help safeguard your business from infiltration and data theft.

• Strengthen security by enforcing the Principle of Least Privilege—disable local administrator accounts and limit permissions for installing remote desktop applications.
• Monitor any unusual network activity, such as frequent logins from different countries or the use of unauthorized remote desktop tools, since North Korean IT workers often employ these tactics.
• Monitor network logs and browser sessions to detect data exfiltration through shared drives, cloud accounts, or private repositories.
• Monitor endpoints for software that enables multiple simultaneous audio/video calls.

Strengthen the Remote Hiring Process

The FBI recommends steps to curtail hiring malicious IT workers, specifically from North Korea.

• Implement identity verification throughout hiring and employment, as North Korean IT workers use AI and face-swapping to mask identities.
• Educate HR and hiring teams on risks, especially changes in addresses or payment platforms.
• Cross-check resumes and contact details to detect duplicate applicants.
• Review communication accounts for reused phone numbers or emails.
• Ensure third-party staffing firms follow strict hiring practices.
• Use “soft” interview questions to verify location and education, watch for typos or unusual resume details, and conduct in-person onboarding when possible.

Security Awareness Training: Your Best Defense Against Cyber Threats

Staying informed about evolving cybersecurity challenges is crucial to staying ahead of potential threats. PrivaPlan’s Cybersecurity Awareness Training equips you with the knowledge to do just that.

Following the recent FBI announcement, it’s worth highlighting a key component of our training: a simulated IT worker designed to help employees recognize and respond to potential threats. While this persona isn’t real—nor linked to any specific nation—it is a powerful tool to prepare your team to detect and neutralize cybersecurity risks before they escalate.