The Journal. - Your New Hire May Be a North Korean Spy
Episode Date: September 10, 2024North Korean cybercriminals have developed a new way to access networks in corporate America: getting IT jobs. According to U.S. officials, hundreds of U.S. companies have unknowingly hired North Kore...an operatives in information-technology roles. Dustin Volz explores how these spies get hired, and one CEO describes how his company fell for the scheme. Further Listening: - How North Korea’s Hacker Army Stole $3 Billion in Crypto - North Korea’s Propaganda Mastermind - The Cyberattack That’s Roiling Healthcare Further Reading: - North Korean Spies Are Infiltrating U.S. Companies Through IT Jobs - Kim Jong Un Wants to Block All North Koreans From Escaping. It Isn’t Working. - A North Korean Diplomat Managed a Rare Defection: A Flight Out of Cuba Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Earlier this year, Stu Schauerman's company needed to hire a new IT guy.
We were hiring a fairly specific, hard to find software engineer who had background
in AI.
We have a number of AI initiatives, and so we needed a software engineer to support
all those initiatives.
The job was posted on online job forums, and pretty soon resumes started to flow in from
all over the country. And one candidate stood out. He said his name was Kyle. Mr. Kyle, quote-unquote, air quotes, had experience with exactly everything that we needed.
It was a very good interview. He was very open. He talked about his strengths and weaknesses,
indicated where he felt he needed additional training
and indicated a career path.
And so it was the perfect interviewee
which made us move to the next step.
After conducting background checks,
Stu's company decided to hire Kyle as a remote employee.
They sent him a work laptop to an address
in Washington state and started the onboarding process. But almost immediately, it became
clear that Kyle was not who he said he was.
At that point in time, our team started seeing very concerning traffic on that laptop.
What kind of concerning traffic on that laptop. What kind of concerning traffic?
Well, Kyle immediately started downloading malware.
We immediately saw that a whole bunch of things were happening that should not be.
We tried to get in touch with him and asked if he needed any help.
I think this was through Slack.
And he said, yes, I am trying to debug my router and
I'm following instructions from a list.
And this is where it became very, very iffy very fast.
The company shut down Kyle's laptop and quickly fired him.
And then they investigated.
What exactly was Kyle doing?
The answer took them completely by surprise.
Yes, we have egg on our face because we hired a fake North Korean IT worker,
but this is what happened.
And if it can happen to us, it can happen to almost anybody.
I mean, it's kind of unbelievable that you hired a North Korean spy as one of your IT
guys.
Yes, that is pretty scary.
And there are hundreds, if not thousands, that are actually, as we speak right now,
in this same situation and delivering work for United States companies. Welcome to The Journal, our show about money, business, and power.
I'm Jessica Mendoza. It's Tuesday, September 10th.
Coming up on the show, could your new hire be a North Korean spy?
This episode is brought to you by Nespresso. Elevate your morning coffee
ritual from the first sip of coffee in the morning to the on-the-go cup. Make
every morning unforgettable
with Nespresso.
Discover a world of possibilities, with or without milk.
Visit nespresso.ca to learn more or a Nespresso boutique near you.
When you're working out at Planet Fitness, it's a judgment-free zone, so you can really
step up your workout.
That's why we've got treadmills.
And our team members are here to help, so you can be carefree with the free weights. They're also balanced
balls, bikes, cables, kettlebells and T-Rex equipment, but like no pressure.
Get started and plan at Fitness by September 13th for $1 down and then only
$15 a month. Hurry you don't want to miss this $1 down sale that ends
September 13th. $49 annual fee applies. See Home Club for details. Our colleague Dustin Volz reports on hackers and cybercrime, and he's been really busy
lately.
Just generally, what have you been covering recently?
Oh, wow. Well, it is an election year, and so I have been focused a lot on foreign election influence
efforts targeting the presidential election, including efforts by Russia, Iran, and China
to promote covert online propaganda and disinformation and that kind of thing.
As kind of looking through your, the stories that you've written recently, and
it sounds like foreign governments really want to get into our computers this year.
Yes, they always do.
They always find new and interesting ways to try to get into our computers.
Governments really like to be inside our computers for all sorts of reasons.
One government that's constantly trying to do that is North Korea.
For years, Dustin has tracked how the country
has developed its hacking capabilities.
And he says its main goal is to make money.
Money is absolutely a driving force of this
because of the sanctions, because of how hard it is
for them to get money, really through any other means.
That is a huge part of what this whole operation is about.
And it's really existential for Kim Jong-un and his regime,
because if they're not able to keep funding
their nuclear weapons and ballistic missile programs,
they sort of lose their ability
to stay in power potentially.
So money is absolutely a huge part of this.
North Korea makes money through hacking in a variety of ways,
like stealing cryptocurrencies or holding Western companies ransom.
But last year, Dustin learned about a new North Korean scheme
that's unlike anything he's seen before.
I spoke to a senior Biden administration official who said,
we're really worried about how much money the North Koreans are
able to get through not just hacking into companies and stealing intellectual property
and in some cases stealing cash, but by doing these other sort of crazy schemes.
And this official said that IT workers are a really big concern.
And I said, I'm sorry, IT workers, what do you mean?
And they said we were seeing a growing number
of North Koreans get jobs by stealing identities
of foreigners and getting onto the payroll directly
for employers for IT jobs and other sorts
of technology jobs.
And I just thought that was fascinating.
These North Korean job seekers are in some ways
just like any other job seeker.
They make resumes, set up a profile on LinkedIn,
and display professional headshots.
But it's all fake.
Their identities are stolen.
And often, their resumes and headshots
are made with generative AI.
They apply for dozens of jobs and wait to get an interview.
And maybe this is obvious,
but they're only looking for remote jobs.
When they land that interview, Dustin says they stand out.
It's surprising both the level of skill required here
and also the level of persistence.
They're really being thoughtful about it.
They're being methodical about it.
And once they get a bite on one of their lures,
they're really trying to reel in the employers
and get the big payday.
And you've talked to some of these employers.
What did they say about meeting these applicants?
I think a clear and consistent message from these companies was, wow, these guys are really,
really good at this.
They were kind of stunned by the level of sophistication from a technical level in understanding
the jobs that they were applying for and really surprised that they were able to not just,
you know, send in an application and then hope to get hired, but follow up on it, talk
about their strengths and weaknesses in interviews, actually get on Zoom interviews and pose as
the person that they were pretending to be and speak in English with, you know, an accent,
but speak in English when you're talking about highly technical terms.
And I think that is, again, something that a lot of companies are probably not expecting.
— For the North Korean operatives who land these jobs, the pay can be pretty good.
The Justice Department said some alleged spies were making $300,000 a year or more.
— A certain percentage of those salaries will go back to the regime,
and then they might get a pocket some of it for themselves.
Wow.
It's unclear exactly how many North Korean operatives
are working for U.S. companies.
But U.S. officials say the number is potentially in the thousands.
In one indictment, prosecutors said more than 300 U.S. companies
had unknowingly hired people with ties to North Korea.
North Korea's diplomatic mission at the United Nations didn't respond to a request for comment.
Now when I got hired, you know, I got a laptop, I got a badge, I got a free Wall Street Journal Tumblr.
Where does all that go?
I'm jealous you got a free Tumblr. I never got one of those when I was hired here.
So yeah, like a lot of jobs you get hired on and you're given a phone and a laptop
and all that, but maybe you show up the first day in the office and you're handed these
devices and you sit down with your IT team and your HR team and you boot up your systems
and you're ready to go.
If you're working remote, you might just send it to an address, the address on file that
the applicant said that they live at.
But these North Korean operatives are not in the U.S.
They work out of North Korea, China, or other countries.
To fool U.S. employers, they need help from accomplices on U.S. soil.
Enter the laptop farms.
And we've seen that now in at least three states, Tennessee, Arizona, and Washington,
where there were these laptop farms that were sort of participating in the scheme, where
co-conspirators are essentially helping them get these jobs by providing them a residence.
Once they get the job that they've applied for, They have their work devices sent to this address, set up on a rack, plugged in and turned on. And then the North Korean, who might be in
China or North Korea itself or somewhere else, is able to basically remotely get
on to that laptop. And so these laptop farms, is it just basically like what a
warehouse full of all these different laptops and a couple people kind of running
this operation?
It's even more bootstrap than that. These are going to be just like homes, you know
Just like imagine any suburban road in America
Then it turns out that there actually have hundreds of laptops inside in their living room that are you know sitting on racks and basically
helping North Korea Fund a nuclear weapons program. That's a direct threat to the United States hundreds of laptops inside their living room that are sitting on racks and basically helping
North Korea fund a nuclear weapons program.
That's a direct threat to the United States.
The people running these laptop farms are paid thousands of dollars by North Korea.
That's according to federal prosecutors, who've arrested several of these middlemen.
One man in Tennessee was allegedly promised $500 per laptop, plus a percentage of profits
to help the North Korean government.
That man pleaded not guilty, and his lawyer did not respond to a request for comment.
So once they're all set up, you know, they've got their laptops, all of that, what do the
North Koreans do?
A lot of them do their jobs.
A lot of them do their jobs. A lot of them get hired. They're able to collect, you know, paychecks for hundreds of thousands of dollars annually
because they are sitting back and doing the job that they were hired for, which is, you
know, troubleshooting people's laptops and doing all sorts of things.
And then in some cases, we see them also using their access within internal networks to not
just do the work they're hired for, but to do other malicious things, including stealing
corporate secrets or positioning for other types of cyber attacks.
And so it just, I think, depends on case by case, but there's a number of sinister things
that they can be doing once they're hired.
Whatever the exact scheme, the main goal, Dustin says, is still to funnel money back
to the North Korean government.
So if you think your company may have hired a North Korean spy, what do you do?
That's next. smoothies and 5% Uber cash back on rides. Just to be clear, I'm there for savings,
not whatever you think university is for.
Get Uber One for Students,
a membership to save on Uber and Uber Eats.
With deals this good, everyone wants to be a student.
Join for just $4.99 a month.
Savings may vary.
Eligibility and member terms apply.
Would you say that you're an expert on cybercrime? Unfortunately, yes.
Unfortunately?
Yes, you have to watch it.
But you could call me an expert on cybercrime, indeed.
That's Stu Schauerman again.
He's the CEO of the company that accidentally hired an alleged North Korean spy named Kyle.
What I didn't mention is that his company is a cybersecurity company.
It's called KnowBefore.
And so what was the goal with KnowBefore?
The goal was to provide employees with sufficient training and simulated attacks so they could make smarter
security decisions every day.
After Kyle released his malware, the company acted fast.
We have a very sophisticated InfoSec team who are intimately familiar with hacking procedures and they literally saw
malware being downloaded to the hard disk of that particular workstation. So we were able to remotely
shut that workstation down. Did the malware spread to other systems within the company before you were able
to shut it down? No, it was quarantined. It did not go any further than that particular laptop.
Stu's company alerted the FBI about Kyle. How did you feel after this ordeal?
about Kyle. How did you feel after this ordeal? Well, you think that, wow, we've been lucky our
layered defenses actually caught this in time. However, we need to sharpen up our process
because they should never had come this far down. We should never have sent that laptop to begin with.
So you immediately take measures, as in workstations never get sent to anywhere else
but to where this person lives.
This person actually needs to go and signs for it themselves
with an ID showing that they are who they are.
So we have made immediate improvements in our process.
I'm curious what you think this says about how hard it is to stop something like this from happening,
especially for companies that aren't as well defended as yours.
It's hard.
The learning moment here is that everyone who is hiring for
people that are going to get the keys to the kingdom,
and system administrators and software developers very often have those keys to the kingdom,
that they need to be double, triple sure that these are legit and not operating criminals.
are legit and not operating criminals, but you have to truly watch it to make sure that you don't hire these types of people who can essentially cause enormous damage.
If you could talk to Kyle today, what would you say to him?
Nice try, buddy.
No cigar. Stu's company was able to quickly suss out and deal with the alleged North Korean spy
in its ranks.
But the same can't always be said for other companies.
The Department of Justice estimates that North Korea makes hundreds of millions of dollars
every year from this scheme.
Here's our colleague Dustin Volz again.
One company I spoke to, I actually said that they think they've encountered potentially
dozens of applications that they suspect are North Koreans.
Can you imagine telling the people who work for you, sorry folks, we accidentally hired
a North Korean operative?
Honestly, to me, it really is a strong case against remote work.
Employers for a long time have been trying to get their workforces back into the office
and I think a lot of their arguments are not, personally, not very valid.
But this one, the idea that this is a real security risk and that we might accidentally
be hiring people who are helping to fund North Korea's nuclear weapons program because they're
on the payroll here, I think that's a really startling thing to a lot of people.
Dustin's reported on a variety of weird and ambitious hacking schemes. But even to him,
North Koreans taking IT jobs hits different.
I think this is one of the most fascinating and
unusual cyber crimes I've ever seen. And it speaks to where we are now in our world with remote work and where we are in our world
with AI systems that allow people who speak a foreign language to ask an AI system to
make them resume or to create a fake headshot
for them. And I think this is potentially a preview of really, really scary things to
come. And I think it also says a lot about how crafty North Korea is. We often talk about
China and Russia as these big bad cyber baddies, and they are. But North Korea, time and again over the years, has been incredibly, incredibly sophisticated
and tricky with what they're doing through cyber attacks and through cyber fraud.
Where do you think Kyle is now?
Do you think he's at another company and his name is Dustin?
Oh gosh, I hope not.
I feel like stealing my identity would be a bad idea
because they would know that I don't have the technical fluency
required for the job.
Yeah, I don't know where Kyle is.
I think Kyle is probably still sitting in a cubicle
in some office building, either in North Korea or China,
spending hours applying jobs and waiting for one of those
resumes that he sends to get a bite from an employer. And he's probably waiting to put on a tie
for the next time he needs to appear in front of a zoom camera and pretend to be someone who he says he is. That's all for today, Tuesday, September 10th.
The Journal is a co-production of Spotify and the Wall Street Journal.
If you like our show, follow us on Spotify or wherever you get your podcasts.
We're out every weekday afternoon.
Thanks for listening.
See you tomorrow.