.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
The North Korean worker scheme has expanded into a global threat. Although it originally focused on U.S. technology companies, the scheme has spread to other regions and sectors, including finance, healthcare, and government. Any company hiring remote workers is at risk; as a remote-first technology company, even Sophos has been targeted by North Korean state-sponsored operatives posing as IT workers.
Assessing the risk
The threat actors target high-paying, fully remote jobs, primarily seeking to obtain a salary that can fund North Korean government interests. They typically apply for software engineering, web development, AI/machine learning, data science, and cybersecurity positions, although they have expanded into other roles as well.
There are many risks to organizations that are infiltrated by these threat actors. Employing North Korean workers may violate sanctions. Additionally, the threat actors could conduct traditional insider threat activities such as unauthorized access and theft of sensitive data. Fraudulent workers may supplement revenue generation by using threats of data exposure to extort the organization, especially after they have been terminated.
Organizational size does not appear to be a factor in this scheme. Sophos has observed targeting of solo operations looking for contractors or temporary help all the way up to Fortune 500 companies. Workers at larger companies are often hired via an external agency, where employment checks may not be rigorous.
How we can help
We’ve been honing an internal initiative that takes a cross-functional approach to addressing this threat. Throughout this process, we found a wealth of defensive guidance available to organizations. However, compiling it into a coherent and actionable set of controls required significant effort. For defenders, knowing what to do is often straightforward. The real challenge lies in how to do it.
Anyone who has implemented controls knows that what appears simple on paper can quickly evolve into a complex design challenge, especially when aiming for scalable, practical, and sustainable solutions. We decided to publish a playbook to support other organizations navigating this threat. In developing these materials, we prioritized specificity over broad applicability. The controls are based on best practices, our own processes, and threat intelligence from our security researchers who have been monitoring the tactics, techniques, and procedures (TTPs) used by the North Korean threat actors.
The playbook includes a toolkit that contains two versions of a control matrix (static and project manager-ready), an implementation guide, and training slides. We split the control matrix into eight categories that span employee acquisition through post-hire:
- HR and process controls
- Interview and vetting
- Identity and verification
- Banking, payroll, and finance
- Security and monitoring
- Third-party and staffing
- Training
- Threat hunting
The matrix lists technical and process controls, as avoiding and evicting fraudulent North Korean workers isn’t simply, or even primarily, a matter of technology. The solution requires collaboration across internal teams such as HR, IT, legal, finance, and cybersecurity, as well as external contractors. The ‘project manager-ready’ version includes additional worksheets for generating pivot tables to reflect control status and ownership. The worksheets are pre-populated with data to illustrate the functionality.
Some of these controls may not be appropriate for all organizations, but we offer this toolkit as a resource. We encourage organizations to adapt the recommendations to suit their environments and threat models.
