North Korean Operatives Use AI and Fake Identities to Infiltrate Companies via

Executive Summary

North Korean threat actors are conducting a persistent campaign to infiltrate companies by passing remote job interviews using AI-generated content, deepfake video technology, and forged identity documents. According to research from Flare, the objective is to place operatives within target organizations to gain long-term network access for espionage and data theft. The tactic exploits the normalization of remote hiring processes and the difficulty of verifying digital identities.

Technical Analysis

The primary technique involves operatives assuming fabricated identities, often of real individuals from countries like the United States or Canada, to apply for remote positions. Flare senior cybercrime researcher Adrian Cheek, in a video analysis for Help Net Security, detailed the methods used to bypass standard hiring checks. Threat actors leverage AI tools to generate convincing, fake supporting documents and to potentially create or manipulate video content for interviews. While the specific AI software was not named, the research indicates the use of technology capable of creating synthetic media that can pass casual inspection during a video call. The operatives' goal is not to perform the job duties but to establish a foothold within the corporate network.

Tactics, Techniques & Procedures

The campaign employs techniques aligned with social engineering and identity deception. According to Flare's analysis, the TTPs include:

• Fabricated Identity Creation: Assuming the identity of a real person from a non-sanctioned country to appear legitimate.
• Document Forgery: Using AI tools to generate fake passports, driver's licenses, and other verification documents.
• Video Call Deception: Potentially utilizing deepfake or other video manipulation technologies during live interviews to maintain the fake persona.
• Exploitation of Remote Hiring: Targeting companies with fully remote interview and onboarding processes that lack robust, in-person identity verification steps.

Threat Actor Context

The activity is attributed to operatives working on behalf of North Korean interests. While a specific advanced persistent threat (APT) group, such as Lazarus Group (APT38), is not explicitly named in the provided source, North Korean state-sponsored cyber operations have a long history of conducting financially motivated and espionage campaigns to bypass international sanctions and gather intelligence. This job interview infiltration tactic represents an evolution of their social engineering efforts, moving beyond spear-phishing to directly place a human agent inside a target organization.

Mitigations & Recommendations

Flare researcher Adrian Cheek recommends specific technical countermeasures for hiring managers and security teams conducting remote interviews. These are designed to detect synthetic media and verify the physical presence of a candidate:

• Request the candidate to perform simple, spontaneous physical actions during the video call, such as turning their head or moving an object in front of the camera. This can help reveal pre-recorded or looped video feeds.
• Closely examine video artifacts, lighting inconsistencies, and audio sync issues that may indicate manipulation.
• Implement enhanced due diligence for identity verification, going beyond document submission to include verification checks with trusted third parties or more rigorous background screening processes, especially for roles that would grant access to sensitive systems.
• Integrate security teams into the hiring process for technical roles to assess potential risks associated with candidate backgrounds and access requirements.