Keypoint: The New York State Department of Financial Services (NYDFS) issued an industry letter outlining the threats posed to U.S. companies who hire remote technology workers linked to North Korea and may embezzle funds from their new employers.
On November 1, 2024, NYDFS issued guidance warning companies against an increasing risk posed from individuals applying for employment in IT roles who are in fact operating on behalf of North Korea. These applicants seek employment in order to infiltrate western companies’ computer systems and illicitly generate revenue for the North Korean regime.
As recently as August 8, 2024, the FBI arrested Matthew Knoot of Nashville, Tennessee, for his involvement in a scheme designed to assist North Korean threat actors secure remote IT positions with companies in the United States and the United Kingdom. These threat actors were paid hundreds of thousands of dollars in income that was funneled to the North Korean government to generate revenue for the country’s illicit weapons program. According to a Department of Justice press release, in addition to the collective salaries paid by victim companies, the actions of Knoot and the North Korean operatives resulted in out of pocket losses exceeding $500,000 from expenses related to auditing and remediating their devices, systems, and networks.
NYDFS Guidance
NYDFS continues to serve as a leading regulatory voice in the cybersecurity space. Alongside similar advisories from the FBI and the United States Department of State, NYDFS emphasizes a multi-faceted approach to mitigate these threats as outlined below:
Awareness and Training: Companies should educate senior executives, information security personnel, and human resources to ensure that all relevant stakeholders are informed of such remote worker threats. Relevant stakeholders must include third-party service providers, such as staffing agencies, that should implement cybersecurity best practices when vetting applicants. NYDFS notes that targeted training sessions can help personnel recognize and effectively respond to potential threats.
Due Diligence in Hiring: Companies should conduct comprehensive background checks and verify identities using multiple official government documents. As with most applicants, remote workers’ social media accounts should be scrutinized, and applicants for remote work positions should have their physical and IP locations confirmed. Companies should monitor the use of virtual private networks (VPNs) and proxy servers, especially during interviews. Ideally, companies should assess whether to require interviews in person or remotely via videocam to verify that the applicant’s identity matches their official documentation. Additionally, companies should verify employment references and check for Voice over Internet Protocol (VOIP) numbers in an applicant’s contact details to reveal inconsistencies.
Technical and Monitoring Controls: Companies should evaluate their individual risks related to applicant and insider threats and implement appropriate controls to mitigate such risks. Companies should consider implementing technical controls to track and geolocate corporate devices, ensuring they remain in the reported location. Any changes in address or unusual working patterns should be flagged as suspicious, which might require additional analysis when these remote workers are believed to work in one part of the world but may in fact be living in a different part, with a completely different day/night schedule. Companies should monitor unusual network traffic and restrict access from suspicious IP addresses to prevent unauthorized access. Companies may also engage cybersecurity vendors specializing in detecting threats linked to North Korea to provide additional protection.
Cautious Approach to Remote Work: Limiting remote employees’ access to only those systems and data that are necessary for their assigned responsibilities is a critical cybersecurity control, and elevated privilege rights and access levels should be increased gradually, and only when necessary for employees’ expanding roles. Companies should assess whether the use of remote access tools should be restricted in order to prevent illicit entry into company networks, whether networks should be segmented to deny access from remote locations, and whether to employ monitoring of remote worker internet activity is necessary, especially visits to unnecessary or overseas websites, to help detect potential threats.
Takeaway
The industry letter is a reminder that while there are significant benefits associated with remote work, as remote work remains prevalent in the marketplace, so do the opportunities for threat actors to exploit it. By implementing the steps outlined above, companies can better safeguard their information systems and protect sensitive data from foreign threats.
If a company believes it has been targeted by a remote IT worker scheme or has been contacted by fraudulent IT professionals, the company should investigate and report the incident to the FBI’s Internet Crime Complaint Center (IC3). Additionally, Covered Entities must ensure they fulfil their reporting obligations under 23 NYCRR § 500.17 mentioned in our update from last week, as well as potential reporting obligations under other state or federal laws.