Hello Reader,

You may have seen alerts from the FBI like this

 Many of us working investigations have encountered one of these cases in the last year. A company finds out from multiple reasons:

1. The North Korean IT worker VPN drops and exposes a Chinese or North Korean IP

2. Someone appears on camera who does match the original photos taken

3. You get a reach out from the FBI

4. You notice suspicious activity on a new developers system

In all of these examples many times what you'll find is a North Korean citizen who has been asked to generate revenue for their government.  Many organizations have even talked about how the North Korean IT worker was a model employee, maybe even one of their best. In other cases I've seen the North Korean IT worker is just creating busy work and doing the bare minimum, like something out of the overemployed subreddit. 

In either case it can become easy to lower your guard towards this incident, especially when their actions appear to be more to gain income that encrypt your systems. However if given the opportunity the same model worker will steal all of your secrets and extort you.

 “To prop up its brutal regime, the North Korean government directs IT workers to gain employment through fraud, steal sensitive information from U.S. companies, and siphon money back to the DPRK,” said Deputy Attorney General Lisa Monaco.

So if you find yourself with employees who took work from home to a new level, make sure to carefully review their work, changes and access. You may be lucky like some of my clients and find they were just collecting a paycheck, but you may also find a trail of stolen data or code modifications.