How North Korean Threat Actors Infiltrate Fortune 1000s Through Remote IT Hiring

TLDR: North Korean state-sponsored actors are bypassing traditional network perimeters by applying for legitimate remote software development and IT administration roles at major corporations. Once hired, these actors use a combination of remote management tools, VPNs, and "laptop farms" to maintain persistent, authorized access to internal systems. This research highlights the critical need for rigorous HR vetting and network-level monitoring of remote access tools to prevent supply-chain compromises from the inside out.

Modern offensive security often focuses on finding the next zero-day or bypassing a WAF, but the most effective entry point for state-sponsored actors is currently the front door. Research presented at BSides London 2025 details how North Korean threat actors are successfully infiltrating Fortune 1000 companies by posing as legitimate remote IT contractors. This is not a technical exploit in the traditional sense; it is a sophisticated social engineering and operational security campaign that turns the modern remote-work culture into a massive attack surface.

The Mechanics of the Infiltration

These actors do not need to burn expensive exploits to gain initial access. Instead, they create fake identities, build professional-looking profiles on platforms like LinkedIn, and apply for open positions on job boards like Upwork. Once they secure a contract, they gain authorized access to the company's internal infrastructure, including source code repositories, CI/CD pipelines, and administrative systems.

The technical brilliance of this campaign lies in how they maintain persistence while remaining undetected. Because they are working from North Korea, they cannot simply log in from their home IP addresses. They use a combination of AnyDesk, TeamViewer, and PiKVM to remotely control hardware located in "facilitator" countries.

By shipping a company-issued laptop to a facilitator in a country like the United States, they can plug that laptop into a PiKVM. This allows the threat actor to remotely control the machine as if they were sitting in front of it, while the company’s security team sees a legitimate, authorized device connecting from a residential IP address.

Tracking the Infrastructure

Detecting this activity requires moving beyond host-based indicators. The research demonstrates that we can track this infrastructure by correlating NetFlow data with known actor TTPs. North Korean actors have a clear preference for specific VPN providers, most notably Astrill VPN.

By monitoring NetFlow for connections between known North Korean IP ranges and these VPN exit nodes, we can map out the actor's infrastructure. The process involves:

1. Identifying the IP addresses of the job-related services (e.g., Workday, Upwork).
2. Correlating these with connections originating from known VPN exit nodes.
3. Identifying the specific ASN paths that lead back to North Korean infrastructure.

This is where the OWASP Identification and Authentication Failures category becomes highly relevant. When a company fails to verify the identity of a remote contractor, they are essentially handing over the keys to their kingdom. The threat actor does not need to exploit a vulnerability; they are the authorized user.

Real-World Impact and Pentesting

For a pentester, this scenario changes the scope of an engagement. If you are testing a client, you should be looking for "shadow" remote access tools. During an internal assessment, look for unauthorized instances of remote management software. If you find a machine that is constantly connected to an AnyDesk session, do not assume it is just a lazy sysadmin. It could be a foothold.

The impact of this access is severe. Once inside, these actors can perform reconnaissance, exfiltrate sensitive data, or plant backdoors in the software supply chain. We have already seen this with the 3CX supply chain attack, where malicious code was pushed through legitimate update servers. If an actor has administrative access to the build environment, they can compromise the entire product for every customer.

Defensive Strategies

Defending against this requires a shift in how we view "authorized" access. If your organization hires remote contractors, you must implement a zero-trust approach to their devices.

• Mandatory In-Person Vetting: If possible, require at least one in-person meeting or a high-fidelity video interview where the candidate is asked to perform a live coding task.
• Endpoint Monitoring: Use EDR solutions to detect the installation and execution of unauthorized remote management tools. If a developer needs to use a remote tool, it should be a corporate-approved, managed instance.
• Network Telemetry: Monitor for unusual traffic patterns from developer workstations. A workstation that is constantly streaming video data to a remote IP address—even if that IP belongs to a known VPN provider—should trigger an immediate investigation.

The era of trusting a remote contractor simply because they passed a technical interview is over. These actors are playing the long game, and they are using our own tools against us. As security professionals, we need to start treating the hiring process as a critical part of our threat model. If you are not verifying the physical location and identity of your remote workforce, you are already vulnerable to this type of infiltration. Keep your eyes on the network telemetry and, more importantly, keep your eyes on who you are letting into your environment.