Insider threats
North Korean insider threats made headlines in 2024, prompting organizations to apply greater scrutiny to both their threat detection and their hiring practices.
Insider threats comprise a broad array of suspicious and malicious activity carried out by employees or people otherwise affiliated with an organization. In this section, we’re going to focus on one particular variety of insider threat that rose to prominence following a Mandiant report published in September 2024. The report detailed an initiative purportedly organized by the Democratic People’s Republic of Korea (DPRK, aka North Korea) that was intended to circumvent sanctions and generate revenue for the country by tricking organizations into unwittingly hiring North Korean workers posing as individuals from other countries. Mandiant reported that these individuals had also leveraged their access to organizations to conduct other kinds of malicious intrusions, beyond merely collecting paychecks to provide revenue for their home country.
It’s important for organizations to understand this threat both specifically and in the abstract. While the report and subsequent headlines about North Korean workers infiltrating organizations are relatively new, the idea that geopolitical adversaries may try to compromise companies in this way is probably not new. It’s highly likely that this kind of activity has been in the playbooks of countries with sophisticated electronic warfare and espionage capabilities for years or even decades. The key distinction here is that North Korea’s objectives are primarily profit-driven, whereas similar activities undertaken by other countries are likely focused on espionage, intellectual property theft, and related strategic goals.
After a wide-ranging threat hunt across our customer base using network indicators, Red Canary immediately discovered unusual sign-ins from abnormal VPNs.
Assessing the risk for your business
Organizations and their leaders ought to be aware of the risk posed by this variety of insider threat, even though it may manifest in very different ways. For example, if you manufacture microcontrollers and are deeply involved in the hyper competitive, global semiconductor trade that impacts everything from weapons systems to transportation to literally every variety of computing device, then you may have serious reasons to suspect that your country’s geopolitical foes have a vested interest in implanting malicious insiders within your company to steal data or spy. To complicate matters further, the supply chain for semiconductors—and the employees you might expect to work within it—are global as well. So it’s reasonable to have workers capable of obtaining highly sought after intellectual property travelling to and from—or even living in—adversarial nations. Understanding the magnitude of the insider threats problem and the wide array of motivations for insider threats at companies like these is a tall order.
On the other hand, if you make shoes, then you may be a more likely target for insiders who are profit motivated like those described in Mandiant’s report. In either case, this reporting and the revelations surrounding it highlight the importance of vetting and monitoring employee activities in relation to their roles, access, and overall expected behavior, and should serve as a reminder to organizations of the risks posed by insider threats.
Identity threats from DPRK workers in 2024
Mandiant has been tracking this activity as UNC5267 across numerous incident response engagements since 2022, though they believe the campaign may date back as far as 2018. We won’t retread all of the details in Mandiant’s report, since you can (and should) read it directly from the source. That said, the report included extensive technical information that’s proven useful in helping other organizations identify potential North Korean nationals working within their own organizations.
In fact, Red Canary conducted a wide-ranging threat hunt across our customer base using information from the report (e.g., network indicators, such as IP addresses, Autonomous System Numbers, and known-abused VPNs) shortly after its release—and we immediately discovered unusual sign-ins from abnormal VPNs consistent with details described in the Mandiant report. We’re highly confident that countless other organizations and security vendors made similar discoveries in the weeks and months following the release of Mandiant’s report, and we believe this may be a widespread, ongoing problem across organizations.
What we found in customer environments
Identifying potential impostor employees is a difficult task that requires analyzing multiple data points across multiple telemetry sources. One common indication of suspicious activity is a user connecting from unusual IP ranges, including some consumer VPN products. Although not inherently malicious, this anomalous activity is enough to warrant further investigation, but doing so means you have to be able to collect and investigate identity data from an identity provider or from SaaS platforms like Google Workspace or Microsoft O365 data.
One common indication of suspicious activity is a user connecting from unusual IP ranges, including some consumer VPN products.
The report also indicated that workers often leveraged remote access tools to remotely access company-issued devices. These devices seem to have been routed to various laptop farms around the world rather than directly to the imposter employees (presumably to cloak their true locations). They also leveraged software like Caffeine to keep computers from going into sleep mode and maintain the illusion that the fake employees were online, at their computers, and working. Having the ability to detect unsanctioned remote access tools in your environment may help detect this and other malicious activity. Software like Caffeine is often categorized as potentially unwanted software, and organizations display a wide tolerance for detections associated with this kind of software, ranging from not caring or wanting to know about its presence at all to being very disciplined about ensuring these types of software are removed from their machines immediately.
Red Canary cannot definitively say that suspicious activity we uncovered was associated with DPRK IT workers, but these incidents bore many of the hallmarks described in the Mandiant report. Beyond the technical indicators we used to find these potential insiders, affected organizations reported discrepancies around information relating to home addresses, an unusually low amount of activity on the accounts and endpoints associated with the suspicious insiders, a lack of communication between suspected insiders and their supervisors, and more.
Ultimately, the problem of unwittingly hiring imposter employees is just that: A hiring problem. As such, the best ways to prevent this from occurring are to implement vigorous methods of accurately validating the identities of job applicants.
Detection
Beyond very specific indicators of compromise listed in Mandiant’s report, the best way to detect this variety of insider threat is to develop policies regulating the kinds of VPNs, remote management and monitoring (RMM) tools, and potentially unwanted programs that are allowed in your environment. From there, it’s simply a matter of developing detection coverage for the things that aren’t allowed.
RMM abuse
Detecting RMM tools is a little tricky since they are something of a moving target. There are dozens of RMM tools out there that are readily available to adversaries, some of them open source and easily modified to evade detection. Application block-listing solutions can offer robust protections against RMM tools, but they can also be difficult to implement and enforce at scale. We’ve written extensively about how to detect RMM abuse in the past, including detection guidance for numerous popular RMM tools. We also developed and maintain a free and open source baseline tool called Surveyor, which includes definition files for dozens of popular remote access tools. You can use Surveyor in an environment with a supported EDR to find the presence of unexpected RMM tools.
VPN abuse
Detecting VPN abuse can be a little trickier. For one, network-based indicators for VPNs may change periodically and have a limited shelf life. While some VPNs have an agent that you can potentially detect at installation (or block via some kind of application block-list solution), this isn’t always the case. Many identity providers generate alerts based on suspicious IP ranges or VPN use, and these alerts may uncover VPN abuse but they can also be noisy and difficult to investigate. Similarly, many identity providers will generate raw logs or telemetry that you can investigate or use to develop custom detection analytics. However, doing so to combat VPN use may require leveraging the logs in tandem with some kind of IP reputation score tool.
For more technical details and guidance, see the VPN abuse trend page.
Security gaps? We got you.
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.