AI-Powered Cloud Security: Defending Cloud Workloads from Next-Gen Cyber Threats

Various threat actors, particularly those associated with the North Korean government, are actively pursuing insider access to Western companies through acquiring remote work positions, particularly in the information technology (IT) sector. These remote employment fraud (REF) operations — also known as “fraudulent remote IT work”, “remote work scams”, and “IT worker fraud” — are typically meant to generate revenue for either individuals or their governments; they can also be used to facilitate initial access for network intrusions or intellectual property theft.

Detailed analysis of malicious activity has enabled our team to reconstruct a three-phase model of how REF operations are run and identify behavioral and technical detection opportunities to interdict threat actors throughout their operational lifecycle. The three operational phases of “Pre-Hire”, “Hiring and Onboarding”, and “Immediate Post-Hire” each present opportunities for multiple business units to contribute to disrupting threat actors’ efforts to acquire remote work roles. Given the fundamental nature of REF as a threat and a strategy, early behavioral detection is the first and best line of defense, although technical indicators are also vital when countering particularly skilled adversaries.

Since the challenges associated with REF are more akin to those associated with insider threats than network intrusion activity, how they present through REF raises significant social and legal challenges. This emphasizes the criticality of cross-functional collaboration between security teams, talent acquisition specialists, and line hiring managers in countering innovations in REF tradecraft.