Insider Threats (DPRK)

Authored by:

blackbigswan

Reviewed by:

Yaniv Sofer

EY

Dickson Wu

SEAL

This framework serves as an entry point to understanding the organizational and personal risks related to "Insider Threats," most commonly (though not exclusively) associated with "DPRK IT Workers" - the North Korean hacker-freelancers. This framework is targeted at projects affected by insider threat actors as well as projects wanting to harden their posture against these actors.

Throughout this module, we will discuss:

• Who insider threat actors are and what they do
• How to recognize insider threat actors
• How to interact with a potential threat actor
• How to mitigate the risks and impact of insider threat actors
• How to harden your defenses against insider threat actors
• Potential consequences of insider threats for you and your organization

Table of Contents

• General Information
  • What is an insider threat? Who are DPRK IT Workers?
  • Operational structure and short history of DPRK IT Workers
  • What are the goals of DPRK IT Workers?
  • How many DPRK IT Workers are there?
  • Average DPRK IT Worker Profile
• Techniques, Tactics, and Procedures
  • How can DPRK IT Workers find a job in your company?
  • Am I Interviewing a DPRK IT Worker?
  • Did I hire a DPRK IT Worker?
  • After a DPRK IT Worker is hired by your company
• Mitigating DPRK IT Workers
  • Hardening your hiring processes
  • Hardening your organization
  • I hired a DPRK IT Worker. What now?
  • Data collection
  • Overview of risks to your organization
• Case Studies
  • Story 1
  • Story 2
  • Story 3
• Summary

Overview of risks to your organization

1. Defrauding the company: The company is paying someone whose identity they do not know.
2. Subpar operational security: DPRK IT workers share credentials among themselves in open channels, have a poor command of Git, and unintentionally or intentionally leak the access they are granted to third parties.
3. Extortion: They may try to extort more money after a job is finished.
4. Future hacking activities: They may use the knowledge gained for future hacking activities.
5. Sanctions violations: The DPRK is a sanctioned entity. No company can legally transfer funds to DPRK-related operations.
6. Contribution to the North Korean Military: DPRK IT worker salaries directly contribute to the Military Ministry of North Korea. The workers do not keep the salaries for themselves.
7. Supply-chain compromise: DPRK IT Workers may intentionally introduce vulnerabilities that impact down-stream projects that depend on your software / services (e.g. SafeWallet UI in the ByBit hack).
8. Reputational damage: To your brand and loss of trust of your users and customers.
9. Asset freeze / loss of access to financial services: your assets may be frozen or seized, and financial institutions (e.g. banks, exchanges) may terminate your access if you are suspected of funding sanctioned entities.
10. Criminal investigations: Law enforcement may investigate your involvement and impose fines or press criminal charges against your organization.