Insider risk was until recently largely considered to be limited to isolated incidents. Dangerous, yes. But usually, the result of negligent employees or the odd “lone wolf” motivated by greed or revenge. The discovery of a years-long campaign by North Korea to infiltrate Western companies has turned these assumptions upside down. The bad news for UK CISOs: it’s no longer just a problem for US businesses, according to Google.
With Pyongyang taking insider threats to a whole new level, what can security leaders and their HR peers do to weed out the miscreants? And prevent the next wave of spies from tricking their way into in-house IT roles?
The Latest TTPs
According to Microsoft, North Korea’s “fraudulent remote worker scheme” has been ongoing since at least 2020, having placed thousands of IT workers into roles in Western organisations. Several indictments of North Korean spies and local facilitators have followed, lifting the lid on the scale of the operation. Now it seems to be expanding into Europe, according to Jamie Collier, Google Threat Intelligence Group (GTIG) lead advisor.
“The scale of the threat posed by DPRK IT workers is continuing to grow, and UK organisations are firmly in scope. What began as a largely US-focused operation has expanded into a global campaign, with Europe now a key target,” he tells IO (formerly ISMS.online).
“In one case, a DPRK IT worker leveraged facilitators in both the US and UK, with a corporate laptop – intended for use in New York – found to be operational in London. This points to a complex logistical chain, where devices and access are effectively proxied through trusted locations, allowing operatives to mask their true identity and location.”
These workers create, rent or purchase identities matching the geolocation of the target organisation, and open new email, social media and GitHub accounts to build a convincing professional persona. Their facilitators validate these fraudulent identities and help by forwarding company devices and running laptop farms. The workers use remote management tools to connect to those device farms, located locally to the role, while VPNs, virtual private servers (VPSs), and proxy services hide their true identity. AI-powered deepfake images/videos and voice-changing software is also deployed to keep employers in the dark.
A recent report from Flare and IBM X-Force uncovers more details on the sophistication of these schemes. It reveals the use of North Korean IT management platforms like “RB Site” and “NetkeyRegister” to provide “a structured back-office operation for tracking work, managing devices, and distributing software updates.” And the use of IP Messenger for covert comms.
The job of security and HR teams is made harder by the fact that, in most cases, the goal of the campaign is not necessarily data theft or extortion but simply to generate money for the Kim Jong-un regime. Flare estimates it is generating as much as $500m annually, with some workers holding down multiple jobs at the same time.
“In some cases, they’re not just securing roles, they’re excelling in them,” says Google’s Collier. “When we informed one client that an employee was a North Korean operative, the response was: ‘are you 100% sure, because he’s one of our best employees’.”
Taming the Insider Threat
Yet even if North Korean IT workers aren’t actively stealing data or extorting their employers, their mere presence represents a major compliance risk.
“The Office of Financial Sanctions Implementation’s September 2024 advisory does not leave much room for ambiguity. Paying a DPRK IT worker, even unknowingly, can constitute a breach of UK and UN financial sanctions. The penalties are civil (strict liability, so ignorance is not a defence) or criminal (up to seven years),” explains Flare senior cybercrime researcher, Adrian Cheek.
“OFSI reported around £500,000 in enforcement penalties in 2024-25, and it signed a new memorandum of understanding with the US Treasury that year, which means transatlantic cooperation on these cases is tightening. If your company also operates in the US, you face exposure on both sides and the reputational risk barely needs spelling out.”
Cheek outlines several steps organisation should consider to mitigate the threat. These should start with fixing the hiring process, which is how most damage can be prevented.
“Start with the basics: verify identity against government-issued ID, confirm right to work, and independently check employment history and references. Do not just call the number on the CV,” he tells IO (formerly ISMS.online). “For anything touching sensitive systems or data, go further. BS 7858-grade screening covers a verified five-year employment history with no unexplained gaps, sanctions and watchlist checks, and financial integrity checks where the law allows it.”
Next should come improved interview screening.
“This is the bit that most guidance overlooks. Standard technical interviews are trivially easy to pass with AI running on a second screen, which is exactly what these operatives do. You need to design interviews that break that workflow,” says Cheek. “Throw in something false and see what happens. And ask questions that need a real opinion, not a textbook answer. Avoid anything a candidate could answer by pasting the question into an LLM.”
Hirers should also insist on live-screen sharing, and change interview formats between rounds, to throw off a potential faker. “If their fluency drops dramatically when they cannot prepare and do not have AI assistance lined up, that is a significant indicator,” says Cheek.
For roles with access to sensitive data, at least one in-person meeting is essential.
Finally, organisations can mitigate the risk of having a potential North Korean worker in their midst by applying least privilege, disabling local admin accounts, and restricting the ability to install remote desktop tools, Cheek concludes.
“Do not hand a new contractor the keys to every repo and internal tool on day one. Provision access incrementally and review it regularly,” he says. “And if you cannot issue a managed device, make sure equivalent logging and endpoint visibility is in place.”
Collaboration with HR
Many of these efforts will require security teams to build bridges with their HR counterparts, says Mimecast cybersecurity strategist, Adenike Cosgrove.
“Collaboration needs to be built into recruitment as standard, not treated as an escalation step,” she tells IO. “HR is often the first line of defence. They see the early signals: candidates who deflect identity questions, push back on verification or behave inconsistently. Without a clear channel to surface those concerns to security, those signals disappear.”
The same should apply to offboarding, to ensure network access is removed immediately following the termination of a suspected malicious insider, she says.
“None of this works without agreement upfront: on what HR flags to security, what security communicates back, and how decisions get made when the picture is ambiguous”, Cosgrove adds.
“Insider risk is ultimately a people problem. The teams closest to people and the teams closest to data need to be working from the same playbook. If HR and security aren’t working as one system, this threat slips straight through the gap between them.”
The Role of Best Practice Frameworks
The good news is that, although standards like ISO 27001 can feel “disconnected” from threats like this, “in practice they’re more relevant than ever”, says Cosgrove.
“What ISO 27001 provides is structure,” she adds. “It forces alignment between HR screening, access controls and security oversight, which is exactly where this threat sits.”
Flare’s Cheek goes further. He cites NIST CSF 2.0 as relevant for multinationals or companies working with US clients. And Cyber Essentials as basic but with useful access control requirements. But ISO 27001 is the most comprehensive for tackling the North Korean threat, he argues.
Cheek references the following as useful and relevant here:
- Annex A 6.1 (Screening), which requires background checks proportionate to the role’s risk level, and ongoing screening
- Annex A 5.16 (Identity Management), which requires unique user identification and prohibits shared accounts
- Annex A 6.5 and 6.6, which require that confidentiality obligations survive termination and access gets revoked immediately, mitigating extortion risks
- Annex A 6.7 (Remote Working), which covers the risks of unmanaged devices verifying remote workers physically
“The real value of ISO 27001, though, is cultural,” he concludes. “Researchers have been saying for over a year that insider risk needs to be a shared responsibility across security, HR, legal, audit, and finance. ISO 27001 gives you the structure to make that happen.”
Expand Your Knowledge
Blog: When the Help Desk is the Threat
Podcast: Phishing for Trouble S02 E02: Boardroom to Breakroom- Building a Culture of Compliance
