Dozens of Fortune 100 organizations have inadvertently hired workers from North Korea applying for remote jobs, Mandiant said.
The FBI in June 2022 warned organizations to be on the lookout for individuals using deepfakes or stolen personally identifiable information who apply for remote jobs.
While Mandiant has not observed significant malicious activities, the threat intelligence firm is concerned the threat group may use insider access to insert backdoors in systems or software in the future.
“This is another type of initial access vector for threat actors but also I want to emphasize that the threat actors are targeting IT and tech positions, potentially providing the actors with access to systems other users may not have,” Carmakal said via email. “This attack technique has the potential to be highly impactful.”
The non-centralized threat group, which Mandiant tracks as UNC5267, remains highly active and primarily applies for full time or contract positions that are fully remote. Some of the IT workers, who are sent by the North Korean government to live in China, Russia, Africa or Southeast Asia work multiple jobs concurrently, Mandiant said.