.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
DPRK fake IT worker discovered by Sophos MDR proactive threat hunt
Organization: Marketing industry, 1000 employees, USA
Solution: Sophos MDR, +Microsoft 365 Mgmt. Activity Management
Adversary behavior
IT workers are sent by the Democratic People's Republic of Korea (DPRK) government to live primarily in China and Russia with a mission to secure lucrative roles within Western organizations—particularly in the U.S. tech sector—for financial exploitation. In this case, a threat actor successfully poses as a remote software developer for approximately six months, gaining employment at a U.S.-based marketing organization. Over time, the fake IT worker escalates their privileges to gain highly privileged access within the organization's AWS cloud environment, maintaining persistent access through a suspicious VPN not used by other employees.
Threat detection
Sophos MDR analysts conduct a proactive threat hunt relating to a known DPRK threat group and discover the fake IT worker within the customer's environment. The team identifies a user persistently logging in using a suspicious VPN, and an attempted login blocked by a Microsoft 365 Conditional Access Policy reveals that the user is located in Russia—not where a legitimate U.S.-based remote worker would typically operate from.
Investigation
Following analysis of the user's Microsoft 365 login activity, Sophos MDR investigates the threat actor's emails and digital footprint. Analysts confirm that the user has gained highly privileged access within the organization's AWS cloud environment. By correlating VPN telemetry, Microsoft 365 authentication logs, and cloud access patterns, Sophos MDR determines that the user has been posing as a remote software developer for approximately six months.
Response
The Sophos MDR team immediately alerts the customer and initiates a live conference call to provide guidance on next steps. The customer quickly disables the user account, fully severing the threat actor's access. Sophos MDR guides the customer through comprehensive remediation, including reviewing all access granted to the fake IT worker, auditing AWS privileges, and implementing stronger identity verification controls for remote hires. Through proactive threat hunting and rapid coordinated response, Sophos MDR successfully uncovers and neutralizes a sophisticated insider threat that had evaded detection for six months.