OPINION:
Although Beijing and Moscow pose the most “active and persistent” cyberthreats, according to U.S. intelligence, Pyongyang is demonstrating with artificial intelligence just how dangerous hackers can be. North Korean hackers are using AI deepfakes to trick recruiters and human resource personnel at some of the largest companies around the world, as well as cybersecurity firms themselves.
Employed by unwitting Western companies, these hackers earn six-figure salaries, money that feeds into Pyongyang’s missile and nuclear weapons programs. They also plant malware they can use to steal data and extort the companies when and if they get exposed. As North Korean cybercriminal operations become more sophisticated, American companies will continue falling victim unless the U.S. government helps them better protect themselves.
AI use in criminal schemes
North Korean hackers used to rely on virtual private networks and aliases to hide their true identities in order to get information technology jobs. Interviews used to be enough to weed out most fraudulent applicants or catch a malicious actor who might have been savvy enough to secure a position. Now, according to reporting from Politico and Wired, AI-generated deepfakes are becoming key to Pyongyang’s success, rendering existing screening tools increasingly irrelevant.
Here is how the scheme works: North Korean operatives create fake LinkedIn pages using stolen information and pirated or AI-generated profile pictures. When they receive a response to one of the hundreds of applications they have submitted to job listings, they use AI-generated deepfakes to impersonate their LinkedIn identities and AI chatbots to feed them answers to interviewer questions. With stolen Social Security numbers, background checks come back clean as well. Pyongyang then uses American accomplices to sign employment forms, receive paychecks and run laptop farms to prevent the companies from detecting internet communications that connect back to North Korea.
In March, Pyongyang launched Research Center 227, an effort within its overseas intelligence agency, the Reconnaissance General Bureau, to focus on AI-enabled cyberattack capabilities. According to cybersecurity firm DTEX, Research Center 227’s objectives are to use AI to neutralize defenses, steal information and money, and automate information collection and analysis. Although the IT worker scheme long predates this center, the capabilities and skills it develops will enhance this operation and the other vast criminal enterprises that fund the regime.
Chinese support is critical
The U.S. government has long warned that North Korean hackers obfuscate their identities to secure IT jobs. In December, Washington indicted 14 such hackers. A month later, the Treasury Department issued sanctions against individuals and entities responsible for generating illicit revenue for the regime as part of this conspiracy. These measures, however, have done little to thwart North Korea’s schemes, especially as China continues to support Pyongyang’s efforts.
A report from cyberintelligence firm Strider said at least 35 Chinese companies have supported the IT workers’ plot. Using Liaoning China Trade, a company Treasury sanctioned in January, as a starting point, Strider identified 35 affiliated companies in China. The firm warned that these affiliates pose “a significant risk to Western businesses … exposing them to potential sanctions violations and serious reputational harm.” The report also finds that large Chinese and Russian firms often provide day jobs for North Korean hackers.
North Korea not only sends its hackers abroad but also creates companies in China and Russia to facilitate its cybercriminal activities. The December indictment noted that the entities set up companies in China and Russia to funnel more than $88 million to Pyongyang’s coffers.
Companies need mitigation guides
Although the sanctions and indictments have done little to deter North Korean cyberoperations, they can help companies thwart the attacks. The charges require the Justice Department to gather copious amounts of evidence and conduct extensive technical forensic analysis. The U.S. government can use this evidence to create mitigation guides to help private companies implement hiring practices that would better protect them from North Korean malfeasance. The more information companies have, the better they can secure themselves.
The FBI did issue guidance in January, but its recommendations fall short of what is needed. The stated “recommendations for strengthening remote-hiring processes” should provide more guidance focused on mitigating the use of deepfakes. Its “recommendations for data monitoring,” meanwhile, should go further than simply restating general cybersecurity guidance about monitoring network traffic. They should include more tailored ideas. For example, cybersecurity firm SentinelOne recommends disabling remote desktop applications on the laptops of new hires so those employees must be physically in front of the laptop to operate it rather than being able to connect to the device from around the world.
Guidance from cybersecurity firms is useful, but only the federal government has the visibility from its investigations of operations against multiple victim organizations to identify common techniques. Guidance from the FBI also carries greater weight with companies that must make new investments to protect themselves from malicious cyber schemes.
North Korea is deploying its hackers around the world and tasking them with bringing back funds for the regime. American companies need, at the very least, more robust guidance from their government if they hope to stand a chance at detecting and thwarting Pyongyang’s advances.
• Mathew Ha is an adjunct fellow with the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. Annie Fixler serves as CCTI’s director and is a senior fellow with FDD.
Please read our comment policy before commenting.