Investigation reveals North Korean IT worker 'UNC5267' has infiltrated multiple 'Fortune 100' companies

Mandiant, a research firm that tracks IT workers working for the Democratic People's Republic of Korea (North Korea), has reported that North Korean workers are employed by organizations in a wide range of industries to evade economic sanctions and earn foreign currency.

Staying a Step Ahead: Mitigating the DPRK IT Worker Threat | Google Cloud Blog

Dozens of Fortune 100 companies have unwittingly hired North Korean IT workers, according to report

Mandiant, a research company and subsidiary of Google, has identified IT workers associated with North Korea as 'UNC5267' and confirmed their activity in various environments. UNC5267 has been confirmed to be active since around 2018, and is not a 'centralized threat actor' as seen in the past, but is composed of individuals mostly dispatched by the North Korean government and residing in China and Russia.

When applying for a job, UNC5267 used stolen IDs to apply, and almost 100% of the jobs were ones that allowed remote work. There have also been confirmed cases of people working multiple jobs. In July 2024, security software developer KnowBe4 reported that an engineer it had hired was a North Korean hacker, and there have been cases where people have edited and used photos of people published on photo stock services, or stolen and used profiles of highly skilled people from LinkedIn.

Naturally, the resumes used were also fake, with features such as 'addresses in the United States' and 'teaching qualifications from universities outside North America, such as Singapore, Japan, and Hong Kong.' This is thought to be intended to prevent potential employers in North America from verifying and contacting them to see if they had actually obtained teaching qualifications. In addition, the degrees obtained sometimes did not match the educational courses believed to have been taken by the individual, and were reused by many UNC5267 personas.

In addition, most of the UNC5267 victims preferred to work remotely, connecting remotely to laptops within the victim company's network to work. Mandiant reports that they tended to install multiple remote administration tools, including GoTo Meeting (LogMeIn), Chrome Remote Desktop, AnyDesk, TeamViewer, and RustDesk.

Team members and managers who had worked with UNC5267 noted that he seemed hesitant to communicate via video and that his work was of lower than average quality.

According to Mandiant CTO Charles Carmack, dozens of Fortune 100 companies, a list of the top US companies by total revenue, have mistakenly hired North Korean IT workers.

US authorities have not been silently turning a blind eye and have stepped up their crackdown, seizing multiple domains and indicting five people on multiple charges in May 2024.