Workers with allegiances to the Democratic People's Republic of Korea (DPRK) have been infiltrating organizations worldwide through a fraudulent remote work scheme. This operation not only violates international sanctions but also poses cybersecurity risks to unwitting employers.
Drawing on publicly available information, including recent U.S. Department of Justice reports, Unit 42 has developed a guide for network defenders. While no single technique alone will detect these operatives, we propose a multi-faceted strategy that combines enhanced IT asset management, contextual analysis and strengthened security awareness.
Key to our recommendations is the implementation of a risk matrix tailored to each organization's specific environment. This matrix helps identify red flags, including the use of stolen identities, unusual work patterns and suspicious shipping addresses. We also stress the importance of rigorous background checks and the need for organizations to share information about suspicious activities.
With these strategies, organizations can strengthen their ability to detect and mitigate the risks posed by DPRK IT workers. While the threat is evolving, a proactive, informed approach can go a long way in preventing the exfiltration of sensitive data and inadvertent funding of North Korea's ambitions.
Palo Alto Networks customers are better protected from the threats discussed in this article through our Network Security platform, Prisma Access Browser offerings and Cortex line of products.
Organizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.
Related Unit 42 Topics | Wagemole, DPRK, Cybercrime |
A scheme orchestrated by the DPRK has been infiltrating companies worldwide, posing significant cybersecurity risks and violating international sanctions. DPRK IT workers, operating under the direction of their government, are securing remote positions with businesses across the globe.
These operatives pose as legitimate freelancers or applicants from various countries, generating substantial revenue that directly funds North Korea's weapons of mass destruction (WMD) programs. According to U.S. Department of Justice reports, individual IT workers can earn up to $300,000 annually. The North Korean government retains up to 90% of these earnings, which collectively totals hundreds of millions of dollars each year.
The tactics, techniques and procedures (TTPs) employed by these operatives include the following:
This operation puts global companies at risk of data breaches, intellectual property theft and legal consequences. The scheme takes advantage of the heightened prevalence of remote work and the challenges in verifying digital identities.
Traditional insider threat programs are unlikely to fully address this state-sponsored activity. Organizations need an approach that combines identity verification, remote work security and insider risk management.
In this analysis, Unit 42 will provide:
Our objective is to equip cybersecurity professionals and organizations with detection and defensive strategies.
DPRK IT workers employ an array of tools and techniques to infiltrate organizations and generate revenue. Their toolkit is designed to create a disposable persona, establishing false identities and maintaining the appearance of a typical legitimate employee. If any one persona is burned, the DPRK IT workers can leverage a new one easily.
The DPRK IT worker scheme begins with obtaining or fabricating identity documents.
To maintain the illusion of being a local employee, operatives use remote desktop access software such as Chrome Remote Desktop, AnyDesk, Splashtop Streamer, TeamViewer and RustDesk.
Hardware devices like TinyPilot or PiKVM serve as physical keyboard, video or mouse (KVM) over internet protocol (IP) solutions, allowing operatives to remotely control computers as if they were physically present. These small devices connect directly to a computer's HDMI and USB ports, capturing video output and relaying user inputs. This hardware-based approach can bypass many software security measures and leave few traces.
Threat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not imply that the legitimate product is flawed or malicious.
To avoid detection, DPRK IT workers must conceal their true geographic location. VPNs, virtual private servers (VPSs) and proxy services mask the user's source IP address and encrypt internet traffic, making it appear as though the worker is connecting from an expected location.
The combination of remote desktop software and network obfuscation tools allows operatives to convincingly mimic the online behavior of an authentic remote worker.
DPRK IT workers leverage popular freelancing and job search platforms to find potential targets. Operatives create accounts on popular job search websites, using their false identities to apply for positions. To support their cover stories, DPRK IT workers may create elaborate fake company websites. These sites lend credibility to their professional personas and can pass basic background checks.
To withstand video interviews, DPRK IT workers appear to prepare detailed responses and backstories to maintain consistency during job interviews. The quality of backstory varies, with some organizations reporting that operatives are unable to answer basic questions about their life outside of what they have presented in their resume.
DPRK IT workers use a variety of financial services to monetize their activities. These include:
To tie all these elements together, DPRK IT workers rely on both physical and virtual infrastructure:
Based on publicly available information, a typical DPRK IT worker operation targeting a U.S. enterprise might unfold as follows:
An operative begins by establishing a false identity. They obtain the personal information of a U.S. citizen and create fraudulent documents, such as a driver's license, using the stolen information with the operative's photo substituted for the citizen’s.
Using this synthetic identity, the operative applies for remote IT positions at multiple U.S. companies through popular job search platforms. To maintain the illusion of being U.S.-based, they enlist a U.S. facilitator who agrees to receive and set up laptop computers, creating a laptop farm.
The facilitator receives company-issued laptops at their U.S. address and installs remote desktop applications on the device. This allows the operative to control the laptops from their actual location, often in China or Russia, while appearing to work from the U.S..
The operative secures employment with multiple companies, often at substantial salaries. They use VPNs and proxy services to mask their true IP address when connecting to the laptops. For video interviews and meetings, they may use prepared scripts or employ U.S.-based facilitators to participate on their behalf.
Companies pay fraudulently earned wages into U.S. bank accounts, which DPRK IT workers then move through various online payment platforms [PDF] and accounts, laundering the proceeds.
To counter the DPRK IT worker threat, organizations should develop a risk matrix tailored to their specific environment. This approach can detect potential operatives and enhance the overall security visibility of both internal and external threats.
DPRK IT workers employ diverse techniques, meaning there is unlikely to be any single mechanism for detection. Public records reveal a sophisticated and adaptable adversary. A risk matrix could chart the risk factor, its likelihood to occur in a DPRK IT worker matter, and the associated risk level to an organization if found in isolation.
One hypothetical risk matrix for an organization combating DPRK IT workers could be as follows:
Risk Factor | Likelihood | Risk Level |
Use of stolen or synthetic identities | High | High |
Unusual IP addresses or VPN usage | High | Low |
Unauthorized remote desktop software usage | High | High |
Inconsistencies in background checks | High | Medium |
Abnormal work hours or productivity | High | Low |
Heavy use of AI or translation software | High | Low |
Logon from Russia or China, when a worker is supposedly based elsewhere | Medium | High |
Use KVM over IP solutions like TinyPilot | Medium | High |
Discrepancies in who appears in video calls | Medium | High |
Use of U.S.-based facilitators (laptop farms; devices sent to individuals with no connection to job duties) | Medium | High |
Unusual equipment shipping addresses | Medium | Medium |
Attempts to access sensitive data outside job scope | Medium | High |
Direct deposit to newer internet banking institutions | Medium | Low |
Potential use of streaming software (to forward video/audio outputs through a remote machine) | Medium | Low |
Use of cryptocurrency for payments | Low | Medium |
Keeping accessible records of IT asset distribution helps defense staff and incident responders track anomalies, such as unexpected delivery locations or shipping forwarding services.
We recommend establishing protocols that flag the use of forwarding services and identifying when different employees have shipped multiple devices to the same address. By auditing the physical addresses associated with equipment shipments, organizations can add an additional layer of security to their network defense strategies.
We also recommend using endpoint security and endpoint management solutions for:
These tools can provide a variety of useful functionalities:
Additionally, DPRK IT workers may leave crucial evidence in log sources often overlooked in log centralizing solutions, such as a security information and event management (SIEM) product. For example, Unit 42 recommends the ingestion of logs from:
Scrutinizing anomalous IP addresses significantly bolsters a company's security stance. DPRK IT workers rely on VPN services that function well in China, such as Astrill VPN.
Companies can also employ Spur Intelligence Corporation's tools, including their free service at spur[.]us/app/context, which offers insights into IP addresses. This tool can identify a VPN exit node used by a DPRK IT worker, providing context for further investigation, as seen in Figure 2.
Spur continually updates its detections, which are available by API or client-side databases.
The human element is a critical factor in the security breaches orchestrated by DPRK IT workers. These actors often exploit the inherent positivity bias—the tendency to overlook red flags in favor of a more favorable view of a person. Organizations must enhance their human firewall (i.e., the collective vigilance and security awareness of their staff).
Instill a culture of caution and responsibility. Security awareness training should be comprehensive, going beyond annual videos to actively engage employees in security practices. Train your staff to recognize and report anomalies, understanding that they play a critical role in the organization's security.
Organizations that employ remote tech workers, particularly in a contract capacity, should implement manager training focused on this threat and provide incident reporting channels.
Operational security measures are also crucial. Enforce the principle of least privilege, ensuring that individuals have access only to the resources necessary for their job functions and no more. Regular reviews and audits of access privileges can prevent the accumulation of access rights that a DPRK IT worker might exploit.
Network segmentation is another effective strategy. By dividing the network into separate segments, organizations can contain and limit the movement of DPRK IT workers within their systems, reducing the reach of any potential compromise.
Moreover, organizations can employ monitoring strategies such as anomaly detection systems to spot not just DPRK IT workers, but other threats as well. If possible, the integration of advanced threat detection tools along with a defined incident response team can provide speedier containment.
Further, organizations should implement secure coding practices, regular security patches and updates along with endpoint protection, contributing to a robust security posture that can withstand attempts at infiltration. These activities can also help mitigate the damage done by DPRK IT workers.
We recommend organizations engage specialized firms that offer identity document verification services to mitigate the risks associated with manipulated identification documents. These firms are equipped with tools and expertise to detect inconsistencies and signs of tampering in documents that might not be evident to untrained personnel. Unit 42, working with Vcheck Global, has created a workflow specifically designed to combat worker identity fraud. Unit 42 can facilitate an introduction to interested parties. Identity verification is the single best opportunity for network defenders when tackling this threat before network intrusion.
Additionally, we recommend correlating worker IDs with liveness checks by their hiring manager, who can compare the ID provided during the background check with the individual on camera, as well as during the interview process.
Some organizations rely on staffing firms to manage identity verification and background checks, relying on a statement of completion from the providers. Organizations should not assume that a staffing firm's attestation guarantees identity verification. Independent verification or strict oversight of the staffing firm's procedures mitigates the risk of infiltration by malicious actors. This could include:
Unit 42 encourages organizations to proactively share information on suspicious employees or applicants with others. DPRK IT workers’ resumes and social media profiles could provide clues to other potential victims.
We further encourage organizations to prioritize information sharing around known DPRK IT workers with the following types of organizations:
Finally, we believe organizations that report their incidents to law enforcement (particularly the FBI) could receive helpful guidance on containment.
NGFW customers with Panorama can use the following dashboard to identify remote access users in their environment:
[{"viewID":"RMM and VPN","viewConfig":[[[{"xtypeConfig":"ACC_Application_Usage","localfilters":[{"name":"subcategory-of-app","value":"proxy","originalname":"subcategory-of-app","originalvalue":"proxy","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"subcategory-of-app","value":"remote-access","originalname":"subcategory-of-app","originalvalue":"remote-access","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"subcategory-of-app","value":"encrypted-tunnel","originalname":"subcategory-of-app","originalvalue":"encrypted-tunnel","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"app","value":"ssl","originalname":"app","originalvalue":"ssl","negate":true,"display":"Application","logtype":"trsum","vtype":"objectName"}],"sort":"bytes","view":"ACCTreeMapPanelApplication","breadcrumbs":[{"key":"bytes","val":[]}],"inlinelocalfilters":[]},{"xtypeConfig":"ACC_Sources","localfilters":[{"name":"subcategory-of-app","value":"proxy","originalname":"subcategory-of-app","originalvalue":"proxy","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"subcategory-of-app","value":"remote-access","originalname":"subcategory-of-app","originalvalue":"remote-access","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"subcategory-of-app","value":"encrypted-tunnel","originalname":"subcategory-of-app","originalvalue":"encrypted-tunnel","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"app","value":"ssl","originalname":"app","originalvalue":"ssl","negate":true,"display":"Application","logtype":"trsum","vtype":"objectName"}],"sort":"bytes","view":"line","breadcrumbs":[],"inlinelocalfilters":[]},{"xtypeConfig":"ACC_Decryption_Traffic_Activity","localfilters":[]}],[{"xtypeConfig":"ACC_Rule_Usage","localfilters":[{"name":"subcategory-of-app","value":"proxy","originalname":"subcategory-of-app","originalvalue":"proxy","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"subcategory-of-app","value":"remote-access","originalname":"subcategory-of-app","originalvalue":"remote-access","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"subcategory-of-app","value":"encrypted-tunnel","originalname":"subcategory-of-app","originalvalue":"encrypted-tunnel","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"app","value":"ssl","originalname":"app","originalvalue":"ssl","negate":true,"display":"Application","logtype":"trsum","vtype":"objectName"}],"sort":"bytes","view":"line","breadcrumbs":[],"inlinelocalfilters":[]},{"xtypeConfig":"ACC_Destinations","localfilters":[{"name":"subcategory-of-app","value":"proxy","originalname":"subcategory-of-app","originalvalue":"proxy","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"subcategory-of-app","value":"remote-access","originalname":"subcategory-of-app","originalvalue":"remote-access","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"subcategory-of-app","value":"encrypted-tunnel","originalname":"subcategory-of-app","originalvalue":"encrypted-tunnel","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"app","value":"ssl","originalname":"app","originalvalue":"ssl","negate":true,"display":"Application","logtype":"trsum","vtype":"objectName"}],"sort":"bytes","view":"line","breadcrumbs":[],"inlinelocalfilters":[]},{"xtypeConfig":"ACC_Dest_Regions","localfilters":[{"name":"subcategory-of-app","value":"proxy","originalname":"subcategory-of-app","originalvalue":"proxy","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"subcategory-of-app","value":"remote-access","originalname":"subcategory-of-app","originalvalue":"remote-access","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"subcategory-of-app","value":"encrypted-tunnel","originalname":"subcategory-of-app","originalvalue":"encrypted-tunnel","negate":false,"display":"App Sub Category","logtype":"trsum"},{"name":"app","value":"ssl","originalname":"app","originalvalue":"ssl","negate":true,"display":"Application","logtype":"trsum","vtype":"objectName"}],"sort":"bytes","view":"map","breadcrumbs":[],"inlinelocalfilters":[]}]]]}] |
Cortex XDR customers can use the following query to hunt for executions of certain remote monitoring and management (RMM) tools in their environment over the past 30 days:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 |
// Name: RMM Sweep // Purpose: Detect and analyze RMM tools in environment // Configuration: Turn off case sensitivity, set timeframe to last 30 days (adjustable) config case_sensitive = false timeframe = 30D // Dataset | dataset = xdr_data // Filter for various remote execution clients | filter event_type = PROCESS and event_sub_type = PROCESS_START and ( // AnyDesk lowercase(action_process_image_name) ~= "anydesk.*[.]exe|anydesk" or lowercase(action_file_path) contains "anydesk" or // Action1 lowercase(action_process_image_name) ~= "action1|action1.*[.]exe" or lowercase(action_file_path) contains "action1" or // Atera lowercase(action_process_image_name) ~= "ateraagent|ateraagent.exe" or lowercase(action_file_path) contains "atera agent" or action_process_signature_vendor = "Atera Networks" or // ConnectWise action_process_signature_vendor in ("ConnectWise, LLC", "ConnectWise, Inc.") or // Google Chrome Remote Desktop lowercase(action_process_image_name) ~= "remoting.*host[.]exe|remoting_host.*" or (lowercase(action_process_image_path) contains "appdata\\google\\chrome\\extensions" and lowercase(action_process_image_command_line) ~= "inomeogfingihgjfjlpeplalcfajhgai|gbchcmhmhahfdphkhkmpfmihenigjmpp") or // FleetDeck action_process_signature_vendor = "FleetDeck Inc" or lowercase(action_process_image_name) contains "fleetdeck" or // Level.io lowercase(action_process_image_name) ~= "level[.]io.*[.]exe|level[.]io" or // MeshCentral lowercase(action_process_image_name) contains "meshagent" or // NetSupport Manager lowercase(action_process_image_path) contains "netsupport manager" or lowercase(action_file_path) contains "netsupport manager" or lowercase(action_process_image_name) in ("pcilic.exe", "pcideply.exe") or // Quick Assist lowercase(action_process_image_name) ~= "quick assist|quickassist.exe" or lowercase(action_file_path) contains "quick assist" or // RustDesk lowercase(action_process_image_name) ~= "rustdesk|rustdesk.exe" or lowercase(action_file_path) contains "rustdesk" or // SimpleHelp lowercase(action_process_image_name) contains "simpplehelp.exe" or lowercase(action_process_signature_vendor) contains "simplehelp ltd" or lowercase(action_file_path) contains "simplehelp" or // Splashtop lowercase(action_process_image_name) contains "srservice.exe" or lowercase(action_process_signature_vendor) contains "splashtop inc" or lowercase(action_file_path) contains "splashtop" or // TeamViewer lowercase(action_process_image_name) in ("teamviewer", "tv_w32.exe") or (lowercase(action_process_image_name) = "mshta.exe" and lowercase(action_process_image_command_line) contains "teamviewer") or // VS Code Developer Tunnel lowercase(action_process_image_command_line) ~= "vscode[.]dev\\tunnel|code tunnel.*" or lowercase(action_file_path) contains "microsoft vs code" or (lowercase(action_process_image_name) = "code.exe" and lowercase(action_process_image_command_line) contains "code tunnel") ) // Label detected RMM tools | alter Note = if( lowercase(action_process_image_name) = "mshta.exe", "TeamViewer", lowercase(action_process_image_name) contains "fleetdeck", "Fleetdeck", lowercase(action_process_image_name) contains "anydesk", "AnyDesk", lowercase(action_process_image_name) contains "action1", "Action1", lowercase(action_process_image_name) contains "ateraagent", "Atera Agent", lowercase(action_process_image_name) contains "level.io", "Level.io", lowercase(action_process_image_name) contains "quickassist", "Quick Assist", lowercase(action_process_image_name) contains "meshagent", "MeshCentral Agent", lowercase(action_process_image_path) contains "netsupport manager", "NetSupport Manager", lowercase(action_process_image_name) in ("pcideply.exe", "client32.exe"), "NetSupport Manager", lowercase(action_process_image_name) ~= "remoting.*host[.]exe|remoting_host.*", "Google Chrome Remote Desktop", lowercase(action_process_signature_vendor) contains "splashtop", "Splashtop", lowercase(action_process_image_name) contains "rustdesk", "Rust Remote Desktop", lowercase(action_file_path) contains "microsoft vs code", "VS Code Developer Tunnel", lowercase(action_process_image_name) contains "tv_w32.exe", "TeamViewer", action_process_signature_vendor in ("ConnectWise, LLC", "ConnectWise, Inc."), "ConnectWise", action_process_signature_vendor = "FleetDeck Inc", "FleetDeck", action_process_signature_vendor = "SimpleHelp Ltd", "Simple Help", action_process_signature_vendor = "NetSupport Ltd", "NetSupport Manager", action_process_signature_vendor = "Zhou Huabing", "Rust Remote Desktop", lowercase(action_process_image_name) contains "teamviewer", "TeamViewer", "Unknown RMM Tool" ) // Aggregate results, count occurrences and display most recent execution time | comp count() as runCount, max(_time) as lastTime by agent_hostname, action_process_image_command_line, action_process_username, action_process_image_name, action_process_image_path, action_process_image_sha256, Note // Return fields of interest | fields agent_hostname, action_process_image_command_line, action_process_username, action_process_image_name, action_process_image_path, action_process_image_sha256, runCount, lastTime, Note // Sort results by hostname and run count | sort desc runCount |
The threat posed by DPRK IT workers represents a challenge for organizations. These state-sponsored actors have demonstrated adaptability and resourcefulness in their efforts to infiltrate companies, generate revenue for North Korea's weapons programs, and potentially exfiltrate sensitive information.
Our analysis reveals a sophisticated operation that exploits the architecture of human resources operations. The operation leverages a combination of identity fraud, technological tools and social engineering to compromise organizations.
While no single measure can guarantee protection against this threat, a layered defense strategy significantly improves an organization's ability to detect and mitigate against DPRK IT workers and a variety of similar threats. Regular audits, continuous monitoring and staying informed about evolving TTPs will help in maintaining an effective security posture.
As DPRK IT workers continue to refine their methods, the global cybersecurity community must remain vigilant and adaptive. By implementing the strategies outlined in this analysis and fostering collaboration between private sector entities and law enforcement agencies, we can work toward disrupting this revenue stream and protecting sensitive assets.
Palo Alto Networks customers can better protect against the threats discussed above through the following products:
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.