The Defender’s Advantage Podcast
Episode: Responding to a DPRK ITW Incident
Host: Luke McNamara (B)
Guest: JP Glab (A), Senior Incident Response Consultant
Date: May 19, 2025
Episode Overview
This episode dives deep into the emerging and complex threat posed by North Korean (DPRK) IT workers infiltrating organizations via fraudulent employment. Host Luke McNamara interviews JP Glab about a real-world response to such an incident, discussing how the threat was uncovered, the unique investigative challenges, and key lessons for organizations aiming to detect and prevent such intrusions. The discussion uses detailed, recent casework to illuminate how DPRK actors exploit remote work and identity fraud to gain access to western organizations, and what defenders can do at both the hiring and technical controls stages to identify and root out these covert operatives.
Key Discussion Points & Insights
1. Incident Origin and Discovery
- How the Case Began (01:52)
- The company was alerted when an individual received a W2 for employment at the company but had never worked there.
- JP (02:16): “The company got a call from an individual who got a W2 from them but did not work for them. So they were calling to let them know that their identity was stolen and being used to receive employment at the victim company.”
- This triggered an investigation into a fraudulent employee (employee A) who had worked for six months, performed well, and later referred a second “employee” (also a false identity) to join.
2. Initial Investigation Steps
- Technical Findings Match DPRK Patterns (04:35)
- Both suspect laptops showed suspicious activity: connecting from Nevada (not the employees' claimed locations: Texas and a fake address), using the same IP, AnyDesk remote access, and Astral VPN.
- JP (04:35): “Both of these laptops were sitting and using the same Internet point of presence. … We found that both laptops were using Anydesk, both connecting to Astral VPN.”
- Astral VPN flagged as a common indicator for DPRK IT worker activity (05:24).
3. Parallel Investigations: Technical and HR/Legal
- Dual Investigation Process (05:46)
- Legal and HR ran concurrent investigations due to logistical red flags: laptops shipped to mismatched or fake addresses, both ending up in Nevada.
- JP (05:46): “This differed from our normal IR… [Laptops] sent to addresses that did not match the addresses that the employees provided them.”
4. Forensic Analysis and Uncovering Multiple Personas
- Laptop Retrieval and Artifact Review (07:09)
- The suspects surprisingly returned the laptops, which allowed deeper forensic imaging.
- Discovery: Multiple LinkedIn profiles operated from the same device, installation of remote access tools within hours of onboarding.
- JP (07:09): “We saw that they were logging into multiple LinkedIn profiles… This was a one to many. So it was one IT worker to many personas, as we've seen in the past.”
- Installation of tools such as AnyDesk and Caffeine suggested immediate setup for remote management.
5. Scope and Detection Challenges
- Limited Campaign Visibility (08:40)
- Contrary to typical malware campaigns, there were no network-wide indicators or beaconing to pivot from, making lateral victim discovery difficult.
- The team looked for additional personas but did not confirm links to other organizations in this case.
- JP (09:43): “The employees were obviously terminated. This client was left with a lot of lessons learned both in the hiring process and with post hire activities.”
6. Behavior and Intent of DPRK IT Workers
- Distinct ‘Insider Threat’ Profile (10:08)
- Unlike typical insider threats who abuse access, DPRK IT workers focus on performing competently to secure steady payment.
- JP (10:08): “With the North Korean IT workers, they're not necessarily doing anything malicious. They're showing up, they're doing their job… Their primary goal is to collect the paychecks.”
7. Indicators and Defensive Recommendations
- Post-hire and Pre-hire Red Flags (11:22, 12:23)
- Technical: Monitor for unauthorized tools (VPNs, remote access, KVM/mouse jigglers), unexpected locations, and new user accounts.
- HR: Strong background checks, verification of employee data, training for recruiters to recognize fraudulent resumes and online profiles.
- JP (12:23): “Pre hire is of most importance, just having strict employee data verification and background check processes and educating hiring managers to this threat in general.”
- Post-hire suggestions include requiring new hires to show up in person or join a video call even if remote.
8. Operational Caution During Investigation
- Risk of Tipping Off DPRK Actors (13:36)
- Company attempted to proceed quietly, but technical imaging failed, so they directly confronted the suspects.
- Video presence used: first persona allowed camera; second, rarely—potential detection opportunity.
9. Lessons Learned and Threat Evolution
- Non-Technical Detection Was Key (14:58)
- The investigation began only due to an external real-world error: a W2 being sent to an uninvolved identity.
- Importance of both technical and non-technical detection vectors.
- JP (14:58): “Without the W2, I don’t know if they would have caught on… Without the W2 notification, I think this would have gone on a little longer.”
10. Broader Impact
- DPRK IT Worker Threat is Rising (15:20)
- McNamara notes 5% of insider threat incident investigations in the latest report were traced to this vector—an uptick that underscores the growing risk for all organizations.
Notable Quotes & Memorable Moments
- “The company got a call from an individual who got a W2 from them but did not work for them.” (JP Glab, 02:16)
- “Both of these laptops were sitting and using the same Internet point of presence. … We found that both laptops were using Anydesk, both connecting to Astral VPN.” (JP Glab, 04:35)
- “With the North Korean IT workers, they're not necessarily doing anything malicious. They're showing up, they're doing their job… Their primary goal is to collect the paychecks.” (JP Glab, 10:08)
- “Pre hire is of most importance, just having strict employee data verification and background check processes and educating hiring managers to this threat in general.” (JP Glab, 12:23)
- “If you are suspicious of an IT worker in your environment, maybe do just a random video on meeting.” (JP Glab, 13:36)
- “Without the W2, I don’t know if they would have caught on… Without the W2 notification, I think this would have gone on a little longer.” (JP Glab, 14:58)
- “5% of the investigations, the incidents and breaches we responded to last year or insider threat as the initial access point… almost entirely, if not entirely represented by the DPRK IT workers.” (Luke McNamara, 15:20)
Timestamps of Key Segments
- Parallel Investigations and Red Flags (00:01, 05:46)
- Case Background and Initial Call (01:52–03:05)
- Technical Discovery and DPRK Patterns (04:35–05:24)
- Laptops Returned and Forensic Imaging (07:09)
- Multiple Personas Revealed (07:30–08:40)
- Detection and Response Lessons (10:08–12:23)
- Mitigation Recommendations (11:22, 12:23)
- Caution During Investigation (13:36)
- W2 as Detection Trigger (14:58)
- Prevalence and Impact (15:20)
Actionable Takeaways
- HR & Recruitment:
- Enforce strict identity verification and background checks; train hiring managers on patterns of fraudulent resumes and online profiles.
- Technical Controls:
- Monitor for unauthorized remote access apps and consumer VPNs; watch for impossible travel or unexpected location logins; require cameras for remote hires on initial days.
- Incident Response:
- Be aware that non-technical notifications (like misdirected payroll documents) may be the first alert.
- Understand that DPRK IT workers’ main objective is payment, not sabotage, which complicates detection through conventional malicious activity triggers.
This episode provides in-depth, actionable insight into handling the complex challenge of DPRK IT worker infiltrations, combining technical, operational, and HR perspectives for a holistic defensive approach.