The New York Department of Financial Services (“NYDFS”) recently cautioned regulated entities to be aware of individuals applying for remote technology-related positions due to an increase in reported threats from North Korea. Threat actors have repeatedly attempted to access company systems and illegally generate revenue for North Korea under the guise of seeking remote Information Technology jobs at U.S. companies.
According to the NYDFS, these applicants often pose as individuals from the U.S. and other countries, using false and stolen identities and proxy accounts that belong to U.S.-based individuals, some of whom may knowingly sell their identities, assist with account creation, and participate in required pre-employment drug screening tests. Applicants use a variety of other tactics to hide their location and/or identity, such as using virtual private networks (“VPNs”) to make it appear that they originate and reside in U.S.-based locations when applying for telework positions, avoiding video or in-person conferencing, and asking for devices to be shipped to different locations pre-employment.
The NYDFS urged companies to take several steps to protect their systems from threat actors, including:
- Raising awareness of this threat among senior executives, information security personnel third-party service providers, and human resources through targeted training;
- Conducting due diligence during the hiring process by implementing stringent background checks and identity verification procedures;
- Utilizing technical and monitoring controls, including procedures to track and locate corporate laptops and cellphones to ensure that they are delivered and remain at the initially reported residence, and flagging events related to location (e.g., change of address);
- Limiting remote employees’ access to systems and data necessary to perform their jobs; and
- Notifying the FBI’s Internal Crime Complaint Center if the company suspects that a remote worker is engaging in a fraudulent remote work scheme.
The NYDFS guidance provides additional detail and examples for implementing each of these steps. Federal agencies are also pursuing the IT worker threat, including the U.S. Departments of State and Treasury, and the Federal Bureau of Investigation.