North Korea Is Hiring Workers at U.S. Tech Companies to Steal Money and Data
North Korea Is Hiring Workers at U.S. Tech Companies to Steal Money and Data
North Korean government agents are getting hired at American technology companies using fake identities. Once they're employed, they send their paychecks back to North Korea and use their access to steal company data and secrets. CrowdStrike, a major cybersecurity firm, revealed this in their 2024 Threat Hunting Report, published on August 20, 2024.
This is not the only threat described in the report. It covers how government-backed hackers from multiple countries have shifted their strategy: instead of breaking in from the outside, they now focus on staying hidden once they're already inside a system — often by using tools and credentials that look completely normal.
How North Korea Gets Inside
CrowdStrike tracks this North Korean group under the name Famous Chollima. Their operation is unusual compared to most hacking groups. Rather than sneaking through digital doors, they apply for real jobs.
These operatives use fake or stolen identities to pass background checks and hiring interviews at tech companies. Once hired, they gain access to computer systems, source code, and customer information — all while appearing to be normal employees.
Most companies' insider-threat programs watch for employees who steal data out of anger or greed. Few are set up to catch a foreign government running a hiring scheme. Background checks, identity verification paperwork, and job interviews — all the standard hiring processes — can be fooled by operatives working at this level.
The risk is particularly sharp for technology companies. A software engineer who is secretly working for North Korea has legitimate access to production systems, code repositories, and customer data. When they work during normal business hours, their activity looks completely routine to computer monitoring systems. Detection depends almost entirely on spotting unusual behaviour patterns or identity inconsistencies — not on catching suspicious network activity.
Attacks That Jump Across Systems
The CrowdStrike report identifies another trend: attackers are becoming skilled at moving laterally across different systems and networks that are normally kept separate.
Here's how it works: an attacker might gain entry through one weak point — say, a compromised employee account or a phishing email. From there, they jump into other systems — cloud services like Amazon Web Services or Microsoft Azure, identity management tools, or business applications. The problem is that most large organisations monitor each of these domains separately with different tools. When an attacker crosses from one monitored zone to another, there's often a blind spot where no one is watching.
This has been a known vulnerability for years. What the 2024 report shows is that major hacking groups have now made this crossing-the-gap technique a standard part of their playbook. It is no longer a move they improvise — it is a rehearsed step.
Remote-Access Tools and Stolen Passwords
The report also highlights two persistent methods: misuse of remote-access tools and abuse of stolen or guessed passwords.
Remote-access tools like TeamViewer, AnyDesk, and ConnectWise ScreenConnect are legitimate software that IT departments use to help employees troubleshoot problems from a distance. They are widely installed and can establish a live connection to a computer without triggering alarms. If an attacker can install or hijack one of these tools, they can operate the target system while their activity looks like routine IT support.
Stolen or guessed passwords work similarly. When an attacker logs in with a real username and password, there is no malware signature, no suspicious file, no unusual network traffic to flag. The detection system has to rely on spotting odd login times, unusual access patterns, or other identity-layer clues — areas where many organisations have weak monitoring.
A Pattern That Repeats
This convergence of tactics — using legitimate tools, relying on real credentials, staying hidden in normal activity — is not new to cybersecurity. Around 2010, the industry was focused on catching malware by looking for suspicious code. Attackers, particularly government groups, instead started using built-in Windows tools like PowerShell and WMI to do their work. They produced no new malware signatures for defenders to catch. The security industry eventually adapted by learning to spot unusual behaviour instead of just looking for malicious code.
What is happening now follows the same logic. Attackers are hiding in the normal noise of a larger, more distributed attack surface — spanning remote hiring, cloud systems, and legitimate software tools. The security industry will adapt again, but it takes time.
What Companies Need to Do
Technology companies need to treat their hiring and identity-verification processes as genuine security measures, not just paperwork. For companies that hire remote workers or contractors, this means bringing tighter identity checks into the security team's view, not just the HR department's. Contractor devices should have the same monitoring as employee devices. Access to systems should follow the principle of least privilege — give people only what they need to do their job. And behavioural baselines should be established when someone is hired and monitored continuously.
For attacks that jump across cloud services and on-premises systems, organisations need to build detection systems that correlate signals from all these sources — endpoints, identity systems, and cloud platforms — into a single picture. Many companies have the raw data to do this; the gap is often in connecting the dots and ensuring analysts can act on what they find.
For remote-access tools, companies should maintain a clear list of which tools are approved, which computers have them installed, and who can use them. Unapproved remote-access tools installed by employees — or by attackers — should be treated with the same seriousness as any other breach attempt.
The Larger Picture
The CrowdStrike report draws on real threats observed through their security monitoring service, not hypothetical scenarios. This gives the findings genuine weight.
The combination of government hacking ambitions with commercially available tools and public hiring systems is not a temporary problem. It is a permanent feature of the modern threat landscape. It exploits the same open, distributed, cloud-connected ways of working and hiring that make technology companies productive. Defending against it requires security thinking that extends upstream into hiring and identity management — not just downstream into network and system monitoring.
The technology to defend well exists. The question is whether companies are willing to fund and prioritise it.
