CISO Playbook: North Korean IT Workers
Has a North Korean threat actor applied for a position at your organization, or even been hired? We’re sharing a toolkit to help you detect and avoid that risk.
The North Korean worker scheme has expanded into a global threat. Although it originally focused on U.S. technology companies, the scheme has spread to other regions and sectors, including finance, healthcare, and government. Any company hiring remote workers is at risk; as a remote-first technology company, even Sophos has been targeted by North Korean state-sponsored operatives posing as IT workers.
We’ve been honing an internal initiative that takes a cross-functional approach to addressing this threat. Throughout this process, we found a wealth of defensive guidance available to organizations. However, compiling it into a coherent and actionable set of controls required significant effort. For defenders, knowing what to do is often straightforward. The real challenge lies in how to do it.
Anyone who has implemented controls knows that what appears simple on paper can quickly evolve into a complex design challenge, especially when aiming for scalable, practical, and sustainable solutions. We decided to publish a playbook to support other organizations navigating this threat. In developing these materials, we prioritized specificity over broad applicability. The controls are based on best practices, our own processes, and threat intelligence from our security researchers who have been monitoring the tactics, techniques, and procedures (TTPs) used by the North Korean threat actors.
Read the blog post describing this playbook.
Toolkit:
- Download Control Matrix Spreadsheet: North Korean IT Workers – Project Manager-Ready v1 (.xlxs)
- Download Control Matrix Spreadsheet: North Korean IT Workers – Static v1 (.xlxs)
- View Implementation Guide
- Download Training Slides (.ppt)