How North Korean IT Workers Use IoT Devices for Time-Card Fraud

TLDR: North Korean IT workers are using physical IoT devices like the PiKVM to bypass remote work restrictions and commit time-card fraud. By connecting these devices to corporate laptops, they maintain a persistent presence on internal networks while physically operating from abroad. Security teams must monitor for anomalous device connections and multiple concurrent sessions to detect this activity.

Remote work has fundamentally shifted the perimeter, but the threat of the "insider" has evolved into something far more mechanical. We are seeing a surge in North Korean IT workers infiltrating Western firms, not just through social engineering, but by shipping physical hardware to residential "farms" in the US. These workers use remote management tools to maintain a 24/7 presence, effectively turning a corporate laptop into a puppet for a remote operator.

The Mechanics of the Remote Farm

The attack flow is straightforward but effective. A worker is hired remotely, often using a high-quality, fabricated resume. Once onboarded, they receive a corporate laptop. Instead of using it, they ship it to a domestic accomplice or a residential proxy in the US. The laptop is then connected to a PiKVM, which allows the remote operator to interact with the machine as if they were sitting in front of it.

This setup bypasses standard endpoint security controls that rely on geolocation or IP reputation. Because the traffic originates from a residential US IP, it looks like a standard remote employee. The PiKVM provides full KVM-over-IP access, enabling the operator to handle everything from BIOS-level configuration to daily tasks.

Detecting the Anomaly

For a pentester or an internal red teamer, the key is identifying the "smell" of a remote farm. These setups leave distinct traces in your telemetry.

First, look for device-level anomalies. If you are using Splunk or a similar SIEM to ingest endpoint logs, look for multiple devices associated with a single user account. A legitimate employee might have a phone and a laptop. A North Korean IT worker, managing multiple personas or roles, will often have a cluster of devices—multiple iPhones, Androids, and even Linux-based emulators—all hitting the same internal resources.

Second, analyze your OWASP A07:2021 – Identification and Authentication Failures patterns. These workers often use VoIP numbers for 2FA. If your logs show a user consistently authenticating from a residential IP but the 2FA device is a known VoIP range, that is a red flag.

Third, look at the physical hardware connections. If you have access to endpoint USB logs, you might see a constant stream of HID (Human Interface Device) activity that doesn't match a standard user's typing cadence. The PiKVM acts as a keyboard and mouse, and its input patterns can sometimes be distinguished from human behavior.

The Forensic Reality

When you suspect a compromised machine, do not just wipe it. You need to perform a proper forensic acquisition. If you have the device, use tools like Magnet AXIOM or Autopsy to analyze the file system.

The goal is to find evidence of the remote management software. Look for artifacts related to the PiKVM or other remote access tools. If you find a PiKVM, you have the smoking gun. The device itself is a treasure trove of network configuration data. You can often pull the Wi-Fi logs to see the SSID and the MAC addresses of the local network, which can help you map out the physical location of the "farm."

Defensive Hardening

Defenders need to move beyond simple IP-based access control. If your organization allows remote work, you should implement strict device posture checks. Use EDR solutions to detect the presence of unauthorized remote management software.

Furthermore, implement hardware-based 2FA that cannot be easily proxied. If a user is logging in from a new location, require a physical security key. If you see a user account that is active 24/7, or one that shows activity from multiple distinct device fingerprints, trigger an immediate investigation.

The most effective way to stop this is to make the cost of the operation higher than the reward. If you require physical presence for sensitive tasks or use hardware-attestation for your endpoints, you force the attacker to move to a more complex, and therefore more detectable, setup.

What to Do Next

If you are conducting an engagement, start by looking at your client's remote access logs. Are there users who never seem to sleep? Are there accounts with an impossible number of associated devices? If you find these, pivot to the endpoint logs. Look for the tell-tale signs of KVM-over-IP hardware.

The "Things" know what you did last session, and if you are not looking at your logs with a forensic mindset, you are missing the most critical part of the story. Stop looking for the "cyber threat actor" and start looking for the physical hardware that makes their presence possible. The next time you see a user with five iPhones and a Linux emulator, don't just flag it as a configuration error. You might be looking at the front door of a remote farm.