If you're a tech leader at a Fortune 500 company, you might want to be extra careful next time you hire a freelancer.
Mandiant has warned that North Korean spies have been disguising themselves as IT contractors in order to quietly earn money to fund the expansion of Kim Jong-Un's weapons of mass destruction (WMD) and ballistic missile programmes.
Some of the fake contractors operate through front companies. Others work with non-North Korean "facilitators" who help them gain employment, as well as performing tasks such as laundering money and/or cryptocurrency, receiving company laptops delivered to their homes, or using stolen identities for employment verification, and accessing international financial systems.
Charles Carmakal, Mandiant Consulting’s CTO, said: “I’ve spoken to dozens of Fortune 100 organizations that have accidentally hired North Korean IT workers.
"North Korean IT workers often have multiple jobs with different organizations concurrently, and they often have elevated access to production systems, or the ability to make changes to application source code. There is a concern that they may use this access to insert backdoors in systems or software in the future.
"Every Fortune 100 organization should be thinking about this problem.”
It's feared the fake freelancers could be part of a kind of human botnet, primed and ready to take destructive action whenever the call comes from Pyongyang.
“The biggest concern I have is what happens if these threat actors go undetected long enough and are eventually given an order by the North Korean regime to launch a wide scale attack," said Michael Barnhart, Mandiant Principal Analyst - Google Cloud.
“These IT workers could easily receive instructions tomorrow to deploy ransomware and simultaneously disable major organizations all over the U.S. and Europe very quickly if they wanted to.
"The only way we come out ahead is strength in numbers. That’s why we’re urging businesses to reach out to Mandiant and privately share any information they’re able to so we can collaborate with them to help the broader community combat this complex scheme.”
Mandiant tracks "IT worker operations" as UNC5267. You can find the IOCs here or here.
UNC5267 is "not a traditional, centralised threat group" and instead consists of IT workers sent to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia. "Their mission is to secure lucrative jobs within Western companies, especially those in the US tech sector," Mandiant wrote.
The agents land jobs using stolen identities or are brought in as a contractor, primarily applying for positions that offer 100% remote work and often working a number of jobs at once to pull in multiple salaries.
Mandiant identified numerous fraudulent resumes linked to North Korean (DPRK) IT workers applying for remote jobs. One resume, hosted on Netlify, used a suspicious email previously associated with IT worker activities and featured fake testimonials with images likely stolen from LinkedIn profiles of high-ranking professionals.
The CV claimed proficiency in multiple programming languages, while another linked Google Docs resume presented inconsistent information, such as differing names, contact details, education, and work histories, yet shared similar wording.
The DPRK IT workers often used fabricated personas and fraudulent resumes with addresses based in the U.S. and education from universities in countries like Singapore or Japan, which made it difficult for North American employers to verify credentials. These resumes were often reused across various personas.
After securing jobs, DPRK workers remotely accessed corporate laptops via laptop farms, using IP-based KVM devices and remote management tools like GoToRemote, AnyDesk, and TeamViewer. Many connections originated from VPNs associated with China or North Korea.
Mandiant also observed that these workers avoided video communication and performed below expectations, further signaling the use of deceptive tactics to gain employment.
How to stop North Korean agents infiltrating your IT department
To mitigate risks, Mandiant suggests following these key strategies:
1. Verify VoIP numbers to detect suspicious usage.
2. Confirm the corporate laptop’s location matches the reported residency during onboarding.
3. Monitor and restrict remote admin tools to prevent unauthorized access, especially VPNs like Astrill VPN.
4. Watch for “mouse jiggling” software, such as Caffeine, which keeps multiple systems active.
5. Verify laptop serial numbers to ensure physical possession during onboarding.
6. Enforce multi-factor authentication and limit IP-based KVM devices.
7. Spot-check remote workers on camera and offer ongoing threat awareness training.
8. Require U.S. bank accounts for payments to add stricter identity verification barriers.
Have you ever worked with a North Korean spy? Get in touch with jasper@thestack.technology to let us know.
