Amazon CSO Stephen Schmidt says the company has rejected more than 1,800 fake North Korean job applicants in 18 months – but one managed to slip through the net

Amazon has had hundreds of fraudulent job applications from North Korean threat actors since April last year, with the company uncovering one successful campaign internally.

According to chief security officer (CSO) Stephen Schmidt, the company has prevented more than 1,800 suspected DPRK operatives from joining since April 2024, and has detected 27% more DPRK-affiliated applications quarter over quarter this year.

“Over the past few years, North Korean (DPRK) nationals have been attempting to secure remote IT jobs with companies worldwide, particularly in the U.S,” Schmidt wrote in a post on LinkedIn.

“Their objective is typically straightforward: get hired, get paid, and funnel wages back to fund the regime's weapons programs.”

With this number of fraudulent applications, Schmidt said the company has a good insight into how these threats are evolving, and there are several notable areas of interest for enterprise security teams.

North Korean hackers are refining tactics

First and foremost, identity theft has become more calculated, Schmidt said, with operatives targeting individual software engineers who provide real credibility, rather than people with minimal online presence.

Operatives involved in these campaigns often work with facilitators managing “laptop farms”, Schmidt added. US locations that receive shipments and maintain domestic presence, while the worker operates remotely from outside the country.

LinkedIn strategies are also getting more sophisticated, with the fraudsters hijacking dormant accounts through compromised credentials to gain verification.

"We've also identified networks where people hand over access to their accounts in exchange for payment," he said.

Research shows LinkedIn has become a prime hunting ground for cyber criminals, with analysis by Clear Sky Security in late 2024 showing hackers are using the professional networking app to both target victims and build an online presence.

A more recent study from Bitdefender Labs also highlighted the growing threats enterprises face through the platform, uncovering an Iranian-linked campaign which took inspiration from previous North Korean efforts.

Notably, Schmidt warned threat actors are increasingly targeting AI and machine learning roles, both of which are growing in demand as companies ramp up adoption of the technology.

One hacker slipped through the cracks

The company admitted that one imposter did manage to slip through the cracks in a recent campaign, however.

According to reports from Bloomberg, the company discovered a fake systems development contractor by tracking keystroke inputs.

Security teams at the retail giant observed significant keystroke lag which raised the alarm. Typically, a US-based remote worker would record keystroke data within several milliseconds.

In this instance, however, the worker’s keystroke lag stood at “more than 110 milliseconds”, suggesting they were based outside the country.

Amazon isn't alone in falling prey to hackers involved in these campaigns. Last year, cybersecurity firm KnowBe4 inadvertently hired a North Korean hacker in an incident which prompted an overhaul of hiring processes at the company.

The individual managed to pass background checks, but were discovered after they began loading malware shortly after receiving their Mac workstation.

North Korean threats will continue

Repeated warnings have been issued over the threats posed by North Korean threat actors over the last 18 months. Attack methods have shifted rapidly, with operators choosing to infiltrate enterprises to wreak havoc with malware and to extract valuable intellectual property.

Earlier this year, the FBI issued guidance on how to avoid the scam, urging organisations to practice the principle of least privilege and ramp up monitoring and investigation of network traffic.

More recently, Google warned that fake North Korean workers were now popping up in increasing numbers in Europe, using online recruitment platforms including Upwork, Telegram, and Freelancer. They've also been carrying out more extortion attempts and targeting larger organizations.

"If you’re concerned about these threats in your organization, query your databases for common indicators: patterns in resumes, emails, phone numbers, educational backgrounds," advised Schmidt.

"Implement identity verification at multiple hiring stages and monitor for anomalous technical behavior: unusual remote access, unauthorized hardware. If you identify suspected DPRK IT workers, report it to the FBI or your local law enforcement."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.