For cybersecurity vendors, the recruitment process has seemingly become a real-life version of Among Us as threat actors continue to masquerade as fake IT workers seeking a gig.
SentinelOne can attest to this. A recent report from its research division SentinelLabs disclosed that the threat intelligence platform tracked about 360 fake personas and more than 1,000 job applications linked to the DRPK-linked IT fake worker scheme in the applicant pool for the cybersecurity firm. Tom Hegel, a distinguished threat researcher and research lead at SentinelOne, told IT Brew that the malicious ploy has become a “numbers game” for North Korea-based threat actors as they apply for positions in “the masses in very automated ways.”
“It’s pretty consistent,” Hegel said. “Every couple of weeks, we see a good flood of them come in.”
Pulling back the curtains. While fake worker threats have been hurled at Sentinel for at least the past 18 months, Hegel said the bulk of attempts occurred last year.
“It’s a signal of the success they’re having,” Hegel said. “They’re ramping up the approach they’re taking, so it’s increased in numbers, kind of globally at that point.”
Recalling one fake IT worker attempt, Hegel said a threat actor applied directly to SentinelLabs, an absurd event because of the intelligence platform’s reputation for tracking North Korean and other international cyber adversaries.
“Seeing them apply for a job on our team was kind of like, ‘Are you for real?” Hegel said. “It was just too easy.”
Growing problem. Sentinel is not the only cybersecurity vendor that has been a target of the fake IT worker scam. IT Brew previously reported that identity assurance company Hypr almost hired a fake European software engineer to its team last year. Earlier this month, Kraken also disclosed its own incident with a fake engineer applicant, who it put through a “rigorous recruitment process.”
According to Hegel, threat actors engaged in the scheme often leave pretty noticeable clues about their true identity and intentions.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“These red flags tend to be things like mismatched résumés to LinkedIn profiles, or their LinkedIn profile and their résumé is linked to a different named person that has the same background on LinkedIn,” Hegel said.
Hegel added that the threat actors aren’t always individuals located in North Korea and that Sentinel has seen “operators” behind fake personas located in China and Russia. However, he observed that these individuals may still unknowingly be working on behalf of North Korea-linked companies.
“They’re like proxy consultants or things like that,” Hegel said. “Just human shops that can do clicks and do interviews, scammy nonetheless, but they don’t quite realize they’re doing things…for North Korea.”
Ramping up defenses. Around the middle of last year, Sentinel began to bolster its defenses against the deceptive scheme by collecting SentinelOne applicant data in an anonymous fashion so that the intelligence platform could track personas and their characteristics in order to create a “detection engine” to monitor these individuals.
“Ultimately, what we’re doing is looking for those little red flags and everything from how they apply to their personas to the way they communicate, and then flagging them so our team can know to act appropriate,” Hegel said.
This collaboration between the talent acquisition team and SentinelLabs allows it to “interject” itself to collect more data on threat actors when needed.
“If this was like a large insurance company, the challenge is significantly higher to interject yourselves into that process,” he said.
So far, the effort has helped SentinelOne to cover its bases against the faux applicants.
“The output has ultimately been stopping them from getting in internally, defending against them with this intelligence to make sure that we’re not missing something, and then at the end of it…[having] really solid intelligence on these actors,” Hegel said.