Responding to a DPRK ITW Incident - The Defender's Advantage Podcast

Summary6 min read

The Defender’s Advantage Podcast

Episode: Responding to a DPRK ITW Incident

Host: Luke McNamara (B)
Guest: JP Glab (A), Senior Incident Response Consultant
Date: May 19, 2025

Episode Overview

This episode dives deep into the emerging and complex threat posed by North Korean (DPRK) IT workers infiltrating organizations via fraudulent employment. Host Luke McNamara interviews JP Glab about a real-world response to such an incident, discussing how the threat was uncovered, the unique investigative challenges, and key lessons for organizations aiming to detect and prevent such intrusions. The discussion uses detailed, recent casework to illuminate how DPRK actors exploit remote work and identity fraud to gain access to western organizations, and what defenders can do at both the hiring and technical controls stages to identify and root out these covert operatives.

Key Discussion Points & Insights

1. Incident Origin and Discovery

How the Case Began (01:52)
- The company was alerted when an individual received a W2 for employment at the company but had never worked there.
- JP (02:16): “The company got a call from an individual who got a W2 from them but did not work for them. So they were calling to let them know that their identity was stolen and being used to receive employment at the victim company.”
This triggered an investigation into a fraudulent employee (employee A) who had worked for six months, performed well, and later referred a second “employee” (also a false identity) to join.

2. Initial Investigation Steps

Technical Findings Match DPRK Patterns (04:35)
- Both suspect laptops showed suspicious activity: connecting from Nevada (not the employees' claimed locations: Texas and a fake address), using the same IP, AnyDesk remote access, and Astral VPN.
- JP (04:35): “Both of these laptops were sitting and using the same Internet point of presence. … We found that both laptops were using Anydesk, both connecting to Astral VPN.”
Astral VPN flagged as a common indicator for DPRK IT worker activity (05:24).

3. Parallel Investigations: Technical and HR/Legal

Dual Investigation Process (05:46)
- Legal and HR ran concurrent investigations due to logistical red flags: laptops shipped to mismatched or fake addresses, both ending up in Nevada.
- JP (05:46): “This differed from our normal IR… [Laptops] sent to addresses that did not match the addresses that the employees provided them.”

4. Forensic Analysis and Uncovering Multiple Personas

Laptop Retrieval and Artifact Review (07:09)
- The suspects surprisingly returned the laptops, which allowed deeper forensic imaging.
- Discovery: Multiple LinkedIn profiles operated from the same device, installation of remote access tools within hours of onboarding.
- JP (07:09): “We saw that they were logging into multiple LinkedIn profiles… This was a one to many. So it was one IT worker to many personas, as we've seen in the past.”
Installation of tools such as AnyDesk and Caffeine suggested immediate setup for remote management.

5. Scope and Detection Challenges

Limited Campaign Visibility (08:40)
- Contrary to typical malware campaigns, there were no network-wide indicators or beaconing to pivot from, making lateral victim discovery difficult.
- The team looked for additional personas but did not confirm links to other organizations in this case.
JP (09:43): “The employees were obviously terminated. This client was left with a lot of lessons learned both in the hiring process and with post hire activities.”

6. Behavior and Intent of DPRK IT Workers

Distinct ‘Insider Threat’ Profile (10:08)
- Unlike typical insider threats who abuse access, DPRK IT workers focus on performing competently to secure steady payment.
- JP (10:08): “With the North Korean IT workers, they're not necessarily doing anything malicious. They're showing up, they're doing their job… Their primary goal is to collect the paychecks.”

7. Indicators and Defensive Recommendations

Post-hire and Pre-hire Red Flags (11:22, 12:23)
- Technical: Monitor for unauthorized tools (VPNs, remote access, KVM/mouse jigglers), unexpected locations, and new user accounts.
- HR: Strong background checks, verification of employee data, training for recruiters to recognize fraudulent resumes and online profiles.
- JP (12:23): “Pre hire is of most importance, just having strict employee data verification and background check processes and educating hiring managers to this threat in general.”
- Post-hire suggestions include requiring new hires to show up in person or join a video call even if remote.

8. Operational Caution During Investigation

Risk of Tipping Off DPRK Actors (13:36)
- Company attempted to proceed quietly, but technical imaging failed, so they directly confronted the suspects.
- Video presence used: first persona allowed camera; second, rarely—potential detection opportunity.

9. Lessons Learned and Threat Evolution

Non-Technical Detection Was Key (14:58)
- The investigation began only due to an external real-world error: a W2 being sent to an uninvolved identity.
- Importance of both technical and non-technical detection vectors.
- JP (14:58): “Without the W2, I don’t know if they would have caught on… Without the W2 notification, I think this would have gone on a little longer.”

10. Broader Impact

DPRK IT Worker Threat is Rising (15:20)
- McNamara notes 5% of insider threat incident investigations in the latest report were traced to this vector—an uptick that underscores the growing risk for all organizations.

Notable Quotes & Memorable Moments

“The company got a call from an individual who got a W2 from them but did not work for them.” (JP Glab, 02:16)
“Both of these laptops were sitting and using the same Internet point of presence. … We found that both laptops were using Anydesk, both connecting to Astral VPN.” (JP Glab, 04:35)
“With the North Korean IT workers, they're not necessarily doing anything malicious. They're showing up, they're doing their job… Their primary goal is to collect the paychecks.” (JP Glab, 10:08)
“Pre hire is of most importance, just having strict employee data verification and background check processes and educating hiring managers to this threat in general.” (JP Glab, 12:23)
“If you are suspicious of an IT worker in your environment, maybe do just a random video on meeting.” (JP Glab, 13:36)
“Without the W2, I don’t know if they would have caught on… Without the W2 notification, I think this would have gone on a little longer.” (JP Glab, 14:58)
“5% of the investigations, the incidents and breaches we responded to last year or insider threat as the initial access point… almost entirely, if not entirely represented by the DPRK IT workers.” (Luke McNamara, 15:20)

Timestamps of Key Segments

Parallel Investigations and Red Flags (00:01, 05:46)
Case Background and Initial Call (01:52–03:05)
Technical Discovery and DPRK Patterns (04:35–05:24)
Laptops Returned and Forensic Imaging (07:09)
Multiple Personas Revealed (07:30–08:40)
Detection and Response Lessons (10:08–12:23)
Mitigation Recommendations (11:22, 12:23)
Caution During Investigation (13:36)
W2 as Detection Trigger (14:58)
Prevalence and Impact (15:20)

Actionable Takeaways

HR & Recruitment:
- Enforce strict identity verification and background checks; train hiring managers on patterns of fraudulent resumes and online profiles.
Technical Controls:
- Monitor for unauthorized remote access apps and consumer VPNs; watch for impossible travel or unexpected location logins; require cameras for remote hires on initial days.
Incident Response:
- Be aware that non-technical notifications (like misdirected payroll documents) may be the first alert.
- Understand that DPRK IT workers’ main objective is payment, not sabotage, which complicates detection through conventional malicious activity triggers.

This episode provides in-depth, actionable insight into handling the complex challenge of DPRK IT worker infiltrations, combining technical, operational, and HR perspectives for a holistic defensive approach.

Loading summary

Transcript34 lines

[00:02]
A
As the incident response process was going on, there was another investigation going on in parallel. This differed from our normal IR as we were doing digital forensics incident response, they also had a legal and HR investigation going on because the laptops they sent out to these employees were sent to addresses that did not match the addresses that the employees provided them. The first employee sent to a totally different address and then the second employee, their address wasn't even real. So they sent that laptop somewhere and it got intercepted. Both ended up in Nevada.
[00:48]
B
Welcome to another episode of Mandian's Defenders Advantage podcast. I am your host, Luke McNamara today. Joining me is JP Glab, Senior Incident Response Consultant here at Mandiant. JP, great to have you here today.
[01:03]
A
Hi Luke. Yeah, great to be here.
[01:05]
B
Well, as folks will know who are listening to this or probably will know, we just released the 16th edition of the MTRENDS report. A lot of great stats and data in that report drawn from the past year of incident response, things that consultants like you have been seeing on the front lines. There's one particular story, if you go to the back article section that delves into something we've talked about on this podcast before and people have seen in blogs and in news stories, which is the North Korean IT worker problem. And we're going to dive into that today and we're going to dive into it from the perspective of someone who has actually responded to some of these threats. So jp, thank you for being here and looking forward to picking your brain and hearing your thoughts on an investigation that you were a part of.
[01:51]
A
Sounds good. Yeah.
[01:52]
B
So maybe we can start with how you got the call, where the investigation began. I would imagine as someone who has not been a part of the actual incident response to some of the North Korean IT workers, maybe it's a bit different than typical intrusion based threats. Maybe not in some respects, but maybe describe for us how that was when you initially got the call, what you knew and where the investigation began.
[02:16]
A
Absolutely. So we got the call. A company was notified that one of the employees that they hired did so under a false identity. So backing up a little bit, the company hired, we'll call them employee A. This employee worked there for six months. Great employee was doing front and back end development work. They were happy with them. This employee then referred someone else to come join the team. They had an open spot and the company decided to hire them too. So fast forward a few months. The company got a call from an individual who got a W2 from them but did not work for them. So they were calling to let them know that their identity was stolen and being used to receive employment at the victim company.
[03:05]
B
And so this created an awareness on the part of the company that hey, we have a problem here. Then at some point they contacted us. So was the suspicion early on that this was it fit within the TTPS of what we had observed from previous North Korean IT workers, the suspicion that was that this was some sort of North Korean IT worker incident?
[03:28]
A
Yeah. So from our point of view, it fit the mold for DPRK IT worker. The, the company though had no idea about this threat. So they were interested in the general scope of like what the user did, what they had access to, were they trying to get access anywhere else on the network? Were they doing anything malicious? Was data being stolen? All the typical, you know, who, what, where, when and why questions that they were most concerned about.
[03:59]
B
So that's interesting. They, they were not aware this was or they didn't suspect at the time this was a North Korean IT worker, just that it was some sort of fraudulent identity, possibly an insider threat of some kind and so they wanted us to investigate further.
[04:11]
A
Exactly, yeah.
[04:13]
B
So when you have an incident like this, where do you start? You know, again, does it differ from what you would traditionally start with? Where if it's a, you know, some sort of intrusion based threat where someone received a spear phished email or you have something beaconing out to a weird domain, do you have that sort of like start in terms of the investigation or how did you begin it?
[04:36]
A
So the investigation process was started off very similar to a normal investigation where we have an initial lead. In this case, the fraudulent employee's laptop pivoting into edr, we saw that the laptop was pinging in from Nevada when the employee stated that they were in Texas. So that was the first red flag we saw. Looking at the second employee's laptop, it was using the same exact external IP address. So this was another red flag. So both of these laptops were sitting and using the same Internet point of presence. And then from there we found that both laptops were using anydesk, both connecting to Astro vpn. So once we got that far we, it was kind of, we had a very high likelihood of it being DPRK
[05:25]
B
ITWS and the astral VPN usage. For folks who aren't familiar and I think we actually flagged this in the the article that's in mtrends about North Korean IT workers. But that has been a common VPN for them to leverage in a lot of their activity proxying through the corporate Boxes that have been powered up and are being run by the facilitators.
[05:47]
A
So as the incident response process was going on, there was another investigation going on in parallel. And this was. This differed from our normal ir, I would say, as we were doing digital forensics incident response, they also had a legal and HR investigation going on because the laptops they sent out to these employees were sent to addresses that did not match the addresses that the employees provided them. So the first employee sent to a totally different address, and then the second employee, their address wasn't even real. So they sent that laptop somewhere and it got intercepted. But they both ended up in Nevada at the end of the day.
[06:29]
B
And at this point, you know, you had the suspicions already this was tied to North Korean IT workers. But at this point, I would imagine that suspicion has gone up pretty high. At this point, when you see these other components, does that result or drive the further components of the investigation? Are there certain things that you look for beyond that, or was this continuing to follow the pattern of what other files or parts of the network or systems has this individual accessed? I guess from. Was there a certain, like, TTP driven part of the investigation? Now that you have this sort of confirmation, you're dealing with a North Korean IT worker, or are you still kind of following the tactical clues as to where their digital footprint has been in the corporate environment?
[07:10]
A
Yeah, yeah. At this point, we pivoted. We were very confident that this was a North Korean IT worker. We pivoted more to guiding the company down the path to figure out where these laptops ended up. They actually took a next step and contacted the individual. So whether this was the facilitator or the IT worker, we do not know. But it ended up that they were being very cooperative and they ended up sending both laptops back. So we were surprised by that. But that gave us a bunch of additional traditional forensic artifacts. So we got the laptops back, we imaged them, and we were able to dig through some artifacts that EDR wasn't sending back to us. For example, there were LinkedIn pictures and banners and profile snippets on the desktop. We were able to go through their web browsing that had rolled for other logs. So we saw that they were logging into multiple LinkedIn profiles, you know, two of which that we knew because the company hired them, but also accessing profiles that we didn't know about. So this individual, IT was a one to many. So it was one IT worker to many Personas, as we've seen in the past. We also Were able to get information that they installed anydesk and caffeine within hours of, of being onboarded. So laptop started up for the first time, they installed their tools and we're off and running.
[08:40]
B
And one of the things that's been, I would say, more challenging about this particular problem again than some of the more traditional threats that we see is not having necessarily, you know, call it beaconing out to a set of infrastructure where you can pivot off of and spider out and find more victims. We the kind of finding the full scope of some of these, I guess I will call them campaigns. Incidents where IT workers are maintaining Personas across different organizations can be difficult. But in this case you were able to find some additional Personas. And did that lead to any kind of follow on victim notifications to other organizations from what you know?
[09:17]
A
Not from what I know, no. We did check to see if those Personas were used to interview further on at this company, but didn't? Not that I know of.
[09:29]
B
So you mentioned there were, there were two investigations kind of being run in parallel. There was the sort of incident response that you were doing. And then there's sort of the HR legal component at the point in which the laptops come back, you investigate them further and image them. Where did things kind of go from there?
[09:44]
A
Yeah. So the employees were obviously terminated. This client was left with a lot of lessons learned both in the hiring process and with post hire activities.
[09:56]
B
There's a lot of, I guess, like sort of takeaways, you know, from any of the individual incidents that we've seen IT workers be involved in and I'm sure kind of takeaways that you had coming out of this, anything that was kind of notable or stood out to you?
[10:08]
A
Yeah, so this was my first DPRK IT workers investigation and previous to this, this case. And if you said, you know, we have an insider case coming in, insider threat case coming in, the first thing that I would think of may be an employee using their privilege for unauthorized things or being destructive for whatever reason. But with the North Korean IT workers, they're not necessarily doing anything malicious. They're showing up, they're doing their job to the best of their abilities and their primary goal is to collect the paychecks. So they want to keep everyone happy and keep receiving those paychecks to send back.
[10:50]
B
Was there, in this particular incident, was there anything that you found particularly helpful in the process of investigating that you would recommend others to look at if they're dealing with the suspected IT workers? I mean, some of this was sort of got lucky with the individual getting the W2 and that's starting the notification process. So it wasn't a, a sort of technical indicator or some of the other things that we've seen initially trigger investigations, but just throughout the whole process, were there things that stood out to you that were particularly useful for chasing down this threat?
[11:23]
A
Yeah, I would say post hire, just monitoring unauthorized applications being installed on the laptop, monitoring for consumer VPNs being used. And I think if they were looking at where these users were connecting in from, from, from China, from other parts of the US they could have found some impossible travel alerts in there or used some of that detection logic to, to maybe tip them off a little earlier.
[11:53]
B
So thinking about all of this and some of the other stories that you've heard, some of the other incidents and cases around North Korean IT workers, what are some of the things that. I think you've touched on a few of these already, but you think are definitely essential for either detecting this activity if you have an individual who unfortunately has already been hired, or even some things you saw as part of this investigation or others that you think, you know, organizations can arm their HR recruitment teams to go look for in that sort of hiring process?
[12:23]
A
Absolutely, yeah. I think pre hire is of most importance, just having strict employee data verification and background check processes and educating hiring managers to this threat in general. I think once you see a couple fraudulent resumes and GitHub profiles and LinkedIns, you kind of start to see a pattern there and get used to what evil looks like. So I think that's huge. Just mitigating this before they're even hired. But again, after they're hired, requiring maybe the first day being in office, even if it's a remote job, and then monitoring post hire. So again, the unauthorized tools being installed, mouse jigglers, KVM software, anything that a facilitator might want to use to keep the laptop on and running and accessible for an IT worker when they need it.
[13:20]
B
Was there anything, I guess going back to the investigation you were conscious about from not wanting to kind of alert or know, trigger the, the IT worker that you were kind of conscious about? I don't know if there was an attempt to try to get them on camera at some point when they were still employed.
[13:36]
A
The first employee they hired was okay with being on camera. The second employee obviously being the same person, didn't turn their camera on very often. So I think maybe if you are suspicious of an IT worker in your environment to maybe do just a random video on meeting. But during the investigation, we attempted to collect those forensic images over the Internet that kept failing. So we were tiptoeing around them a little bit, but it got to a point where the client said, we just need to confront them about this and take care of it.
[14:14]
B
Yeah, it's an interesting story and I think also points to some of the challenges that these actors have managing multiple Personas. And then even specifically as we've seen them try to do, manage multiple Personas within the same organization. You know, if they either gain employment with different Personas or even try to recommend someone else that is another Persona that they are operating, there's a number of different ways where they can easily slip up and get caught. And it seems like some of those kind of emerged here. And I'm struck by some of the different cases where, like this one, again, it wasn't a sort of a technical TTP that was triggered. It was someone saying, hey, this W2, I shouldn't be receiving it. And that being the kind of genesis of the investigation.
[14:59]
A
Yeah, absolutely. Without, without the W2, I don't know if they would have. Would have caught on. This was before a lot of the. The press has started covering it. So maybe they would have found out once, you know, all these blogs and public notifications came out. But without the W2 notification, I think they. This would have gone on a little longer.
[15:21]
B
Well, I think it's another good story that kind of again, highlights how this threat is evolving and continuing to operate. As I mentioned, there's more in the MountDS report. Interestingly enough, if you go to the initial infection vector, you'll see insider threats almost entirely, if not entirely represented by the DPRK IT workers at 5% this year. So 5% of the investigations, the incidents and breaches we responded to last year or insider threat as the initial access point, that's the first. So this is definitely something that has emerged more often and we have seen, of course, expand globally. So a lot more that I think we'll be doing here and elsewhere to research into this particular problem. But jp, thanks for spending some time today and going over your observations from responding to one of these threats.
[16:13]
A
Yeah, thanks for having me.
[16:14]
B
Take care. Sa.