Back
Technology

North Korean Entities Target Remote IT Positions in Western Companies, Utilizing AI in Deception

Generated on: Last updated: 2 sources
View source

North Korean Operatives Infiltrate Western Tech Sector with AI-Powered Deception

North Korean operatives are reportedly attempting to secure remote IT and software development positions in Western companies, including the United States. This widespread effort involves the use of fabricated identities, stolen credentials, and advanced techniques, including artificial intelligence, to generate revenue for North Korea's weapons programs. Companies like Amazon and Microsoft have identified these activities, with US government agencies also investigating related operations within the country.

The primary objective of these North Korean operatives is to obtain remote employment in technology sectors and funnel their earnings to fund North Korea's weapons programs.

Objectives and Scope of Operations

This trend is considered widespread across the technology industry, posing a significant financial and security risk. Amazon reported a nearly one-third increase in job applications from suspected North Korean individuals over the past year and stated it has blocked over 1,800 such applications. Microsoft's threat intelligence unit has also identified these extensive operations, noting that AI is enhancing their effectiveness. Disturbingly, instances have been reported where sensitive company data was threatened after the termination of these workers.

Deceptive Tactics and AI Integration

North Korean groups, identified by Microsoft as Jasper Sleet and Coral Sleet, are utilizing a sophisticated array of methods, increasingly enhanced by artificial intelligence:

  • Identity Fabrication: Operatives create false identities and alter stolen identification documents. They leverage AI platforms to generate culturally appropriate name lists and corresponding email address formats—for example, by prompting "create a list of 100 Greek names"—to construct these convincing false identities.
  • Credential Theft and Impersonation: They hijack dormant LinkedIn accounts using leaked credentials and strategically target profiles of genuine software engineers to enhance their perceived credibility.
  • Remote Interview Deception: Voice-changing software is employed during remote interviews to conceal accents and effectively impersonate Western candidates. Furthermore, the AI application Face Swap is used to embed North Korean IT workers' faces into stolen identity documents and to generate professional headshots for resumes.
  • Application Tailoring: AI is utilized to search job postings on platforms like Upwork for IT and software development roles. This allows applicants to precisely tailor their resumes and applications based on listed skill requirements, increasing their chances of success.
  • Performance Maintenance: Once hired, AI assists operatives in drafting emails, translating documents, and generating code, aiming to avoid detection for inadequate performance or potential termination.
  • "Laptop Farms": Operatives frequently collaborate with individuals managing "laptop farms," which involve computers physically located in the target country (e.g., the US) but operated remotely from outside the country.

Detection and Prevention

In response to these evolving threats, technology companies are implementing robust detection and mitigation strategies:

  • Amazon's Methods: Amazon uses a combination of artificial intelligence tools and manual verification by its staff to identify fraudulent applications. Indicators for employers include incorrectly formatted phone numbers and discrepancies in education histories. Amazon's chief security officer, Stephen Schmidt, urged companies to report suspicious job applications to relevant authorities.
  • Microsoft's Disruptions: Microsoft reported disrupting 3,000 Microsoft Outlook or Hotmail accounts used by deceptive North Korean IT workers last year, hindering their communication and operational capabilities.
  • Recommendations for Companies: Companies are strongly advised to conduct video or in-person job interviews for IT roles to better verify identities. Interviewers can identify deepfake videos or images by observing specific signs, such as pixelation at the edges of faces, eyes, ears, and glasses, as well as inconsistencies in how light interacts with an AI-generated face.

Government Response and Enforcement

The US government has launched significant investigations and taken enforcement actions to combat these operations within its borders:

  • Laptop Farms Discovery: In June, the US government announced the discovery of 29 "laptop farms" operating unlawfully across the country. The Department of Justice (DOJ) indicated that these operations utilized stolen or forged American identities to assist North Korean nationals in obtaining employment within US companies.
  • Indictments and Sentencing: The DOJ has indicted US brokers involved in securing positions for these North Korean operatives. In July, an individual from Arizona was sentenced to over eight years in prison for operating a laptop farm. This illicit operation facilitated remote jobs for North Korean IT workers at more than 300 US companies, generating over $17 million in illicit proceeds for the operator and directly benefiting North Korea's weapons programs.