The Key Interview Question to Shield You From North Korean Fake Workers

The FBI and other agencies provide guidelines for identifying North Korean infiltrators, yet advancements in artificial intelligence will complicate these efforts.

RSAC Worried that a fresh hire could be a North Korean agent aiming to pilfer proprietary information before launching a cyberattack on the organization? There’s a solution, for now anyway....

As stated by Adam Meyers, who holds the position of Senior VEEP at CrowdStrike within their counter-adversary unit, operatives from North Korea assume various positions globally all through the year. It is reported that thousands of these individuals have penetrated organizations listed among the Fortune 500.

They are hiding IP addresses, shipping laptop farms to America so they can use these devices as proxies to seem like they’re operating within the USA, and they are employing AI technology. However, there’s an interview question that invariably exposes their tactics, leading candidates to withdraw from the hiring process.

One of my preferred questions during interviews, as we have spoken with many candidates before, goes along the lines of asking them ‘If you had to estimate how overweight would you consider Kim Jong Un?’ Most people end the conversation right away since they do not want to make a disparaging comment,” he said at a panel discussion during the RSA Conference in San Francisco on Monday.

Meyers detailed how North Korea plans to utilize generative artificial intelligence to create large quantities of LinkedIn profiles and job applications targeting remote positions with Western firms. In interviews, different groups will tackle various technical hurdles involved in the application process, whereas the “main actor” manages the practical aspects of the interview, albeit often poorly.

"What we've observed is that applicants from Poland often have complex names," he explained. "However, during video interviews, they appear as young Asian males of military age who struggle to pronounce their own names correctly." Despite these inconsistencies, many still manage to secure jobs, resulting in significant sums of money being redirected to North Korea through this method.

After securing this prestigious position, these employees often thrive within the organization because numerous individuals collaborate on single tasks to ensure top-quality output—aiming for advancement and greater access to the company’s resources—as clarified by panelist FBI Special Agent Elizabeth Pelker.

"I think more often than not, I get the comment of 'Oh, but Johnny is our best performer. Do we actually need to fire him?" she said.

The aims of these phony workers are two-fold, she explained. Firstly, they earn a wage and use their access to steal intellectual property from the victim. This is usually exfiltrated in tiny chunks so as to not trigger security systems.

She mentioned that one approach they adopted was requiring candidates to complete coding assessments directly at their workplace. This setup enables them to verify the use of proprietary information, observe how frequently applicants switch windows during the test, and potentially uncover indications suggesting something might be amiss.

Should the intruder be identified and terminated, they typically would have already gathered login credentials, installed dormant malicious software, and subsequently try to extract as much money as possible from the target. She advised anybody who recognizes a bogus staff member to promptly reach out to their nearest FBI branch.

However, the assailants are becoming more intelligent, and in certain aspects, the FBI is suffering from its own achievements.

The agency has been distributing advice to US companies but these memos are also being read in Pyongyang and the workers are adapting their tactics. This sometimes involves using both aware and unwitting accomplices.

To circumvent the issue of IP addresses, laptop farms are proliferating across America. When someone secures employment, the company typically provides them with a laptop. At this juncture, the newly hired individual might mention that they’ve relocated or encountered a family emergency, requesting that their device be shipped to a different address instead.

It’s probably a laptop farm where an individual in the U.S. operates laptops from valid addresses for a payment usually amounting to approximately $200 per device, as stated by Meyers. The previous year, law enforcement officials shut down a similar setup in Nashville, Tennessee. They then indicted the person running this scheme on charges including conspiracy to inflict harm on protected devices, planning to wash money obtained through illegal activities, plotting to carry out wire fraud, intentionally damaging secured systems, engaging in severe cases of identity theft, and conspiring to facilitate unauthorized work by non-citizens.

Instead of generating new identities, North Korean workers are now resorting to theft or deception to obtain the ones they desire. They convince individuals to hand over their identities, often claiming it’s for a noble purpose. In Ukraine, this has evolved into an expanding industry where people are persuaded to share their personal information with intermediaries, supposedly to use these details against Chinese operatives supporting Russia.

“Regrettably, since this supports North Koreans, the funds end up flowing back into the hands of the North Korean government,” explained Chris Horne, who serves as a senior director at the job platform Upworthy. “This ultimately contributes to financing the forces operating via Russia. As such, these actions inadvertently aid in their own downfall in Ukraine.”

We have witnessed deepfake job applicants who can deceive IT experts, often doing so multiple times. Pelker cautioned that this technology is advancing and becoming increasingly believable with each passing day.

According to the panelists, resolving this issue hinged on educating every individual involved in the interview process—even the most junior staff members—and maintaining strict attention to potential red flags. They suggested that whenever feasible, having a nearby person conduct an in-person visit could help. Additionally, they recommended possibly steering clear of recruiting entirely remote workers.