Remote Workers

Executive Summary

Nation-State advanced persistent threats (APTs) infiltrate US businesses by disguising themselves as remote workers, consultants and vendors. Often, international fraudulent businesses are used to hide applicants’ identities. Threat actors who have gained access in this manner launch malware, exfiltrate data for intellectual theft or future ransom or use employee pay to fund group activity. Best practices to mitigate this threat include using thorough hiring and procurement practices, monitoring employee behavior, employing the principle of least privilege and revoking access to any entity that poses a significant risk.

Background

Organizations have used remote work to expand business operations while reducing physical overhead [5]. Office space, supplies, equipment and utilities are significantly reduced when operations do not have to house employees. These costs can be funneled back into the business to allow for expansion of operations and profits. Remote work reduces office commute offering more time back to employees. This benefit is highly desirable and makes a role appear more competitive due to the work-life flexibility it offers. A survey in 2023 found that 68% of US workers wanted a non-hybrid, remote role over a hybrid or in-office role and 59% would choose an employer based on this preference[1]. It has been found to increase employee satisfaction, retention and productivity. This design became particularly popular during the COVID-19 pandemic by supporting business continuity during lockdowns. 

As much as non-malicious job seekers and enterprises value the benefits of remote, so do threat actors. There are several reasons that make this an ideal attack vector. For one, infiltrating a company through its workforce offers the privilege of system access from the vantage of an authorized user.  Additionally, if workers have access to on-premise resources, they can physically access them without having to navigate a network.  Even systems protected via air-gap may be accessible if users are authorized.  Once a threat actor has such access, reconnaissance, data exfiltration, systems tampering or other physical or intellectual theft can easily be performed. 

North Korean APTs have been using fraudulent staffing companies to apply for remote jobs and offer other technical services to US companies [3].  The attackers use fraudulent companies based in Russia, China, and Africa as front businesses to disguise their identity. These threat actors use remote workers as proxies to get insider access to enterprises [4]. IP addresses are hidden with VPNs. The intent of the threat actors range from data exfiltration to bypassing political sanctions [2]. APTs that pose as legitimate vendors offering business services may insist on using hard to trace or unsecure payment systems.

Impact

Reports of fraudulent employee and vendor attacks by nation state APTs have been on the rise in Fortune 100 companies [6]. Some threat actors launch malware through remote conferencing software. Fraudulent workers may also siphon data to hold for ransom in the event that they are terminated. IT positions should especially be monitored as these positions tend to have extensive access and knowledge to damage systems. Fraudulent workers may be highly trained and present themselves as very desirable talent.

Mitigation

Employers can take advantage of the benefits of telework while reducing risk. They must analyze if roles can be securely performed remotely. If a role introduces significant risk to the enterprise’s attack surface, it is better to keep it on-premise. Roles that have minimal privilege and access are more ideal for telework.  In the event that a position is found to cause risk after hiring, it would be safer to restructure the role’s location to on-premise.  

Best practices can be used throughout hiring processes to deter bad actors from applying in the first place.  Being required to attend regular office meetings or be available for periodic in-office work may discourage proxy workers. Performing thorough background checks can be used to confirm candidate identity. If staffing or consulting services are needed, only well known, vetted vendors that employ standard business practices should be used.

A hybrid structure may be an option to provide some benefits of remote work, while also limiting risk. For example, if it is suspected that a remote employee poses an insider threat, requiring them to come into the office for some time could allow for investigation and identity verification. It also may be necessary to place employees on administrative leave or restrict user access while an investigation is being completed. Any employee that has applied under fraudulent pretenses, engages in misconduct or creates a significant threat should be terminated immediately. Any access should be revoked immediately. Report the incident to law enforcement if necessary.

Certain behaviors may present red flags that an entity may pose an insider or supply chain threat. Signs that a remote worker may be a proxy worker is if they request to circumvent standard procedures.  Using Voice-over-Internet-Protocol or VoIP to communicate, proxy servers or non-work related VPNs, refusing to appear on camera during meetings, hiding their location or IP address and requesting to use personal devices instead of enterprise-owned devices are used to conceal fraudulent activity and circumvent an enterprise’s security measures. These practices should not be allowed as they create weaknesses in the security posture of a company. If an employee persistently pushes back, access should be revoked and additional measures should be taken to investigate. As a general best practice, the principle of least privilege should be employed for all workers regardless of remote or in-office status.

Relevance

Remote work is becoming more common. By 2025, it is projected that there will be about 36.2 million remote workers.  It is possible to take advantage of the benefits of remote work if done responsibly.  By taking remote work into consideration for risk mitigation strategies, businesses can be flexible with the changing workforce landscape.

References

[1] Flynn, J. (2023, June 13). 25 Trending Remote Work Statistics [2023]: Facts, Trends, and Projections. Zippia.com. https://www.zippia.com/advice/remote-work-statistics/

[2] Johnson, D. (2024, October 16). Pyongyang on the payroll? Signs that your company has hired a North Korean IT worker. Cyberscoop. https://cyberscoop.com/north-korean-it-workers-secureworks-report/

[3] Lakshmanan, R. (2024, November 21). North Korean Front Companies Impersonate U.S. IT Firms to Fund Missile Programs. The Hacker News. https://thehackernews.com/2024/11/north-korean-front-companies.html

[4] New York State Department of Financial Services. (2024, November 1). Industry Letter. Industry Guidance. https://www.dfs.ny.gov/industry-guidance/indusry-letters/il20241101-cyber-advisory-remote-workers-nk

[5] Thompson, J. (2024, November 6). Why Remote Work Makes Good Business Sense. Business.com. https://www.business.com/articles/remote-work-good-for-business/

[6] Tidy, J. (2024, October 16). Firm hacked after accidentally hiring North Korean cyber criminal. BBC. https://www.bbc.com/news/articles/ce8vedz4yk7o