Following repeated attempts by North Korean nationals to secure remote Information Technology (“IT”) jobs at U.S. companies to access company systems and generate revenue for the North Korea, the NYDFS recommends that organizations exercise caution when hiring for remote technology-related positions. These individuals often use virtual private networks (“VPNs”) and false or stolen identities to appear as though they are working in the United States. Indications that someone may be conducting this kind of scam include requesting to ship devices to an alternate location and declining to participate in in-person or video conferences. Threat actors also may download remote access tools to their company devices in order to allow them to remotely control those devices, often using native tools to avoid detection.

The NYDFS recommends organizations take the following steps to protect their information systems from these actors:

1. Raise awareness with senior executives, information security personnel, and human resources. Share information about this threat with senior executives, hiring managers, cybersecurity personnel, and third-party service providers.
2. Conduct due diligence in the hiring process. Perform stringent background checks and implement multifaceted identity verification procedures. For example, companies should require more than just one official government document to verify identity, such as passports and national IDs; scrutinize social media accounts carefully; confirm applicants’ physical and IP address locations; and detect VPN and proxy server usage at all times, but especially during the interview process.
3. Implement technical and monitoring controls. Assess the organization’s risks related to insider threats and implement measures that appropriately mitigate such risks.
4. Proceed cautiously with all entirely remote employees. Limit remote employees’ access to systems and data to that which is necessary.
5. Notify law enforcement and regulators. Investigate and report incidents to the FBI’s Internet Crime Complaint Center (“IC3”) at www.IC3.gov and fulfil any reporting obligations that arise under state or federal law, including, potentially, reporting incidents to DFS under 23 NYCRR § 500.17.

Hogan Lovells has covered insider threats, including in particular from North Korean nationals seeking remote positions, as well as proactive steps to reduce risk in more detail in The Data Chronicles. For more information, you can listen to the podcast episode here.

Authored by Nathan Salminen, Dan Ongaro, and Emma Kotfica.