Threat actors infiltrating remote recruitment operations

As more organisations turn towards recruiting employees to work remotely, threat actors are moving to target these hiring processes with new, innovative ways of manipulation.

HR Leader recently spoke to Adam Meyers, head of counter-adversary operations at CrowdStrike, about the growing infiltration threat of cyber criminals into remote recruitment practices.

According to Meyers, either foreign governments or cyber criminals are actively and increasingly exploiting virtual recruitment and onboarding processes through both advanced AI tools and stolen identities – posing as legitimate candidates in an attempt to dupe organisations into letting them access corporate networks and steal sensitive data.

Meyers highlighted an adversary known as Famous Chollima – which is allegedly connected to the Democratic People’s Republic of North Korea – and has previously been exposed for successfully infiltrating more than 100 companies, with 40 per cent of the 300 incidents intertwined with fake IT hires.

“Famous Chollima uses generative AI to craft convincing fake résumés, job applications, and online personas – such as LinkedIn profiles – to exploit remote hiring processes by posing as legitimate candidates,” said Meyers.

“This technology is further used during the interview process, for example, in a technical interview, there may be multiple operators working to complete coding challenges, while another contributor handles the video interview.

“This blend of technical skills, social engineering tactics, and operational discipline makes this adversary a serious and sophisticated threat.”

Meyers showed that once these new fake hires enter the organisation’s fold, they often request for their company laptop to be sent to varying addresses.

“Once hired, they request their company laptop to be sent to an alternative address to their residential address – by providing a reason such as staying with a sick family member – that is actually a laptop farm,” he said.

“The insider is then able to remotely access these laptops – with their employer believing they are working legitimately – and install remote management tools or browser extensions to gain deeper access to their employer’s technology systems and sensitive information.”

Meyers pinpointed strategies that HR leaders and in-house recruitment teams can integrate to ensure that they do not fall victim to this manipulation.

“To defend against Famous Chollima, hiring and HR teams must treat recruitment as a security-critical process: verify identities rigorously, use live video onboarding and work hand in hand with IT, legal and security.

“Teams should be wary of candidates who avoid turning on their video or removing blurred backgrounds when asked and always ensure a candidate’s physical appearance matches their purported identity,” he said.

“Performing tests during the interview to identify deepfake technology, which has been observed in use by Famous Chollima, can also help HR teams identify suspicious activity, as an example asking the candidate to touch their face can create artifacts that reveal the use of such technology.

“Once hired, HR leaders should ensure that employees are not onboarded at an alternate location to their residence or a company office and are regularly on video in meetings. It’s also important [that] companies implement strong performance management policies and watch for underperformance, as these insiders are doing the bare minimum to stay employed.

“Companies need an intelligence-led security strategy alongside real-time visibility, continuous monitoring of sensitive information and systems, and the ability to rapidly respond across all attack surfaces.”