How North Korea Is Infiltrating U.S. Tech Companies Through Hidden Employees

North Korean state-backed hackers are running a novel operation: placing workers inside American technology companies using fake identities, then funneling their salaries and access back to Pyongyang. This finding sits at the center of CrowdStrike's 2024 Threat Hunting Report, published on 20 August 2024, which analyzed security threats detected across CrowdStrike's Falcon monitoring platform.

The report covers multiple attack strategies: how nation-states are operating, the ways they target cloud systems and move between networks, and how they misuse legitimate tools and stolen credentials. Together, these patterns show adversaries moving away from breaking in through brute force and instead focusing on staying inside by looking legitimate.

The Famous Chollima Insider Threat

CrowdStrike tracks the North Korean group running this insider operation under the name Famous Chollima. Their approach is unusual compared to most state-sponsored hacking groups. Instead of hacking into a company's network from outside, Famous Chollima operatives get hired as contractors or full-time employees. They use fake or stolen identities to get past background checks, then leverage the legitimate access and paychecks they earn to serve North Korean interests.

The weakness this exploits is straightforward: most companies monitor employees for signs of data theft or disgruntlement, but they rarely expect a foreign government to run a coordinated hiring scheme. Background checks, identity verification documents, and technical interviews — the usual gatekeepers — have all proven vulnerable to Famous Chollima's approach.

The risk is particularly acute for technology firms. A software engineer or infrastructure specialist who is actually a state-aligned operative has legitimate access to production systems, code repositories, and customer data. This access looks normal from the company's perspective. Traditional security monitoring (watching for unusual network traffic, for instance) won't catch them. Detection hinges almost entirely on behavioral analysis and cross-checking identity signals — the company has to spot something "off" rather than catching obvious hacking activity.

Cloud and Cross-Domain Attacks

Beyond the insider threat, the 2024 report highlights cloud and cross-domain attacks as a standard tactic used by sophisticated adversaries today, not an emerging novelty.

Here's how these attacks work: an adversary gets initial access to one system — maybe an infected computer or a phished email login. From there, they move laterally across boundaries. They might pivot from an employee's laptop into the company's cloud services (like AWS or Azure), then into identity management systems, then into business software like Salesforce or Office 365. The structural problem is that each of these domains is usually monitored by different security tools. A security team watching employee computers might not see the cloud activity happening at the same time, creating blind spots at exactly the places where attackers pivot.

This problem has existed for years. What the 2024 report shows is that sophisticated adversaries have now practiced this extensively — moving between domains is now a rehearsed part of their attack plan, not an improvised step.

Hijacked Credentials and Remote Management Tools

The report also flags credential abuse and misuse of remote management tools as persistent threats. Neither is particularly new, but their continued prominence in 2024 is noteworthy.

Remote management tools (products like AnyDesk, TeamViewer, or ConnectWise ScreenConnect) are legitimate software used by IT departments to support computers and users remotely. They're installed widely and can maintain active sessions without triggering many security alerts. When adversaries deploy or compromise one of these tools, they gain the kind of access an IT help-desk would have, while most security monitoring systems treat them as routine IT activity.

Credential abuse means attackers have obtained valid usernames and passwords — either by stealing them, buying them from criminal markets, or guessing them. When someone logs in with a real credential, there's no exploit, no malicious code, no telltale network signature. The only hints are timing (logging in at odd hours), unusual patterns (accessing files the person normally wouldn't), or anomalies in the identity system. Many organizations still have significant blind spots in these areas.

An Old Pattern in New Clothes

This echoes a shift from the early 2010s. Back then, security teams chased malware signatures while nation-state groups quietly moved toward using legitimate system tools — PowerShell, Windows Management Instrumentation (WMI), and built-in Windows utilities — to do their work after breaking in. These tools left no malware for signature engines to detect. The security industry adapted by learning to spot unusual behavior instead of unusual code. Today, the same strategy is being applied to a much larger landscape: RMM tools, cloud services, identity systems, and remote work infrastructure.

Attackers are once again hiding in the noise of normal operations. Defenders need to catch them by watching how normal operations actually look.

What Organizations Should Do

The Famous Chollima insider threat means technology companies need to take identity verification seriously at hiring time — and keep checking it afterward. For companies with remote or contract workers, this means bridging the gap between what HR knows about someone and what security monitoring can actually see. Contractor devices should be monitored just like employee machines. Access should follow the principle of least privilege (giving people only the access they truly need), even for roles that seem to need broad access. Teams should build a baseline of normal behavior when someone starts, then flag deviations.

For cloud and cross-domain attacks, the solution involves connecting the dots across different security tools. Many organizations collect all the necessary data; the gap is in connecting endpoint alerts, identity system alerts, and cloud alerts into a single view. That unified picture makes anomalies visible.

Remote management tools need governance. Organizations should maintain a clear list of which tools are approved, where they're installed, and how they're protected. Tools installed outside the official IT catalog should be treated as a serious security incident.

The Bigger Picture

CrowdStrike's report draws from actual observed threats rather than predictions, which gives its findings real weight.

The combination of state-level intent, off-the-shelf tools, and ordinary employment processes isn't a short-term problem. It's a structural feature of the current threat landscape — and it exploits the same openness and flexibility that make modern technology companies productive. Defending against it requires security programs that reach back into hiring and identity management, not just forward into network monitoring.

The technology to do this exists today. The real question is whether organizations will commit the resources and priority to match the threat.