Canadian businesses face a growing threat from North Korean IT workers who are using sophisticated deception tactics, including AI-powered deepfakes, to secure remote positions and gain access to corporate systems and sensitive data.
A multi-agency advisory issued last week by the RCMP, Public Safety Canada, and other federal departments warns that state-affiliated workers from North Korea are posing as legitimate freelancers to infiltrate Canadian companies across multiple sectors, potentially exposing organizations to corporate espionage, data theft, and sanctions violations.
The advisory states that employing these individuals could result in legal consequences under Canadian sanctions, expose organizations to data theft and corporate espionage, and indirectly contribute to North Korea’s weapons of mass destruction and ballistic missile programs.
Real-time deepfake technology creates new hiring challenges
The threat has evolved beyond traditional identity fraud. North Korean actors are now using real-time deepfake technology during video interviews to mask their true identities and locations, according to cybersecurity experts.
“It’s not so much that they’re not real, but the person is using deepfake AI to do real-time translation of their face or image to look like something else,” said Orlando, Fla.-based Matt Immler, Regional Chief Security Officer at Okta, a cybersecurity firm, in an exclusive interview with HR News Canada.
The technology can alter appearance to look more appealing to interviewers or appear as a different nationality, Immler said. However, there are ways to detect these deceptions during the hiring process.
“If you ask a candidate, you know, hold your hand up in front of your face, or run, you know, for instance, a pencil across your face and it starts doing weird things, or that, or the image starts fading. It’s because you’re blocking those anchor points and it can no longer create the image effectively,” Immler said.
Financial motivation drives widespread targeting
The primary driver behind these infiltration attempts is financial, making any organization a potential target regardless of location or industry.
“The threat is real for pretty much any organization, regardless of whether or not it’s Canada or any other country… is money,” Immler said.
North Korean IT workers typically offer services including mobile and web application development, gaming and online gambling platforms, general IT support, graphic animation, database development, and hardware and firmware development.
Beyond financial gain, these workers may also engage in espionage activities, particularly when targeting government organizations or companies with access to sensitive information.
Red flags during the hiring process
HR professionals should watch for several warning signs when screening remote IT candidates, Immler said. The most significant red flag is an unwillingness to participate in face-to-face interviews or video calls.
“If they prefer text-based communication or Slack, chat, messaging or email versus Zoom or Teams interviews, they typically make excuses like bad internet connection or something that would prevent them from being on camera, especially if it happens more than once,” he said.
Other warning signs include last-minute changes to personal details such as shipping addresses for company equipment or banking information for payroll, and inconsistencies in background information compared to what was originally provided in resumes or interviews.
The government advisory lists additional red flags including frequent money transfers through online payment platforms, requests for payment in cryptocurrency, multiple logins from various IP addresses in different countries, and unwillingness to provide documentation in a timely manner.
Legal and security risks for employers
Canadian employers who unknowingly hire North Korean IT workers face serious legal consequences. Under the United Nations Act, the maximum penalty on summary conviction is a $100,000 fine or a one-year prison term, or both, with convictions on indictment potentially resulting in a maximum 10-year prison term.
Beyond legal risks, these workers pose significant security threats to organizations.
“Through privileged access to companies’ networks and critical infrastructure, North Korean IT workers may insert passive malware and backdoors in program codes that can collect information, monitor traffic, or facilitate future exploitation, thereby exposing companies to the risk of corporate espionage and data theft,” the advisory states.
Immler said these actors often lack the qualifications for positions they obtain, using AI tools to mask their incompetence while potentially accessing sensitive systems and data.
“You’re getting somebody who probably can’t do the job that well, and they’re using AI tools to basically fake it as much as they can until they eventually get fired or let go — because they realize that they’re not actually performing as well as they should be,” he said.
Small businesses particularly vulnerable
Small businesses and start-ups can be more attractive targets for North Korean IT workers, who seek to exploit these businesses’ need for qualified, relatively inexpensive labour, and the lack of dedicated resources for screening candidates during the hiring process.
These organizations often have fewer resources to conduct thorough background checks and may be more willing to overlook red flags in favor of cost-effective solutions.
Prevention strategies and verification methods
To combat this threat, Immler recommends enhanced verification procedures during the hiring process, including in-person or comprehensive video interviews using multiple communication methods.
Companies should also implement identity verification services that can detect fraudulent documentation and perform “liveness checks” to ensure candidates are who they claim to be.
“The biggest takeaway is that the best way to combat this is during the hiring process. Once somebody’s already in, it’s going to be a protracted period of time before something like this is noticed,” Immler said.
The advisory recommends avoiding cryptocurrency payments, scrutinizing documentation for inconsistencies, conducting background and reference checks with educational institutions and previous employers, and using strategies to detect AI-enabled deepfake technology during remote meetings.
Some companies, including Okta, require even remote employees to visit a physical office within 30 days of hiring to verify their identity in person, though this may not be feasible for all organizations.
The government advisory emphasizes that businesses should report suspicious activities to relevant authorities and implement proper due diligence measures to protect both their organizations and comply with Canadian sanctions law.