RCMP issues advisory warning about North Koreans 'posing as freelancers to gain access to...systems and data'
Canadian health and safety professionals face a new and evolving threat: North Korean IT workers infiltrating organizations under false pretenses. Authorities warn that these state-affiliated operatives pose risks not only to data security but also to the integrity of critical infrastructure and the safety of employees.
This month, the Royal Canadian Mounted Police (RCMP) and Public Safety Canada issue a joint advisory warning that North Korean IT workers are “posing as remote freelancers to gain access to Canadian companies’ systems and data, often through legitimate hiring platforms.” The advisory highlights that payments to these workers may inadvertently fund North Korea’s weapons programs, including nuclear development.
Matt Immler, regional chief security officer for the Americas at Okta, confirms his firm’s threat intelligence team flagged this issue in May, two months before the RCMP advisory. “One of those that we really started seeing a lot of noise around was this North Korean IT worker issue,” Immler says. “So they kind of deep dove into that to do a threat advisory on it and start warning folks of what they can do and what they can look for to counteract it.”
How North Korean agents infiltrate organizations
Immler explains North Korean actors use advanced generative AI tools to create convincing resumes, cover letters, and even deepfake video interviews. These operatives often avoid video interviews or use digitized appearances.
“A candidate who may prefer not to be on camera during an interview… or if they are on video looking as if they’re maybe a little bit digitized, you know, something along a deep fake line where it’s changing their appearance,” Immler notes. He recommends simple tests, such as asking candidates to hold a hand in front of their face, which can disrupt deepfake technology.
Once hired, these workers may attempt to change the shipping location for company laptops or alter payroll details. “Those last-minute changes are a big red flag,” Immler warns.
Risks for health and safety professionals
While the primary motivation is financial—funding a sanctioned regime—Immler cautions that organizations in the health and safety sector are particularly vulnerable. “These are government systems that may be very well targeted for information of citizens, or government systems that is actually worth something to them in an espionage sort of scenario,” he says.
Stolen data can fuel further attacks, including identity theft and deepfake-enabled scams. “Getting that information, being able to use that even maybe for further deep fake attacks, maybe impersonating those citizens or those folks who are in those systems in order to gain additional employment and leaking those sorts of details. That’s really where the threat lies,” Immler explains.
Red flags and prevention
Immler urges organizations to watch for employees who consistently avoid video meetings or request asynchronous communication. “There’s always a reason they can’t be on camera. There’s always a reason they can’t do something that’s not over, like an asynchronous texting sort of situation,” he says.
Technical checks can also help. “If your security team is looking at where they’re working from, and it’s not from where they said they’d be working from… things like that are kind of on the technical side of what they can see,” Immler adds.
Building a Secure Workforce
The best defense, Immler stresses, is prevention. “Really the best way is to try to prevent it from the beginning… That really comes down to training for HR, as well as just putting the right sort of checks in place in the hiring process,” he says.
He recommends robust background checks, identity verification services with liveness tests, and in-person onboarding requirements. Immler says new employees at Okta must make an office appearance in the first month of employment. “We will verify that you are who you say you are one way or another.”
The takeaway
For health and safety professionals, the message is clear: vigilance in hiring and identity verification is essential. “It’s very hard once they get in, to get them out… Your best line of defense [is] ensuring that you have the identity of the person ahead of time,” Immler concludes.
As the RCMP advisory and cybersecurity experts warn, proactive measures today can protect your workforce and critical systems from tomorrow’s threats.
