July 28, 2022

We interviewed a North Korean hacker. Here's what we learned.

There are lots of risks in hiring remote employees. One is that someone might be trying to infiltrate your organization, maybe even the North Koreans.

We interviewed a North Korean hacker. Here's what we learned.

We're growing, and we're trying to grow the team to support that growth. One of the challenges that we have, probably like a lot of organisations, is that we want a mix of talent, cybersecurity experience, motivation and some very specific software development skills that just aren't that easy to find. And there is truth to some of the stereotypes or preconceptions about people with those skills not always being super organised, or having the most polished CVs. So we tend to focus on a lot of the hard skills - technical expertise, coding experience, etc - and we'll want to talk to a person. And we're remote-first, so we take a lot of applicants seriously and try to engage in a meaningful discussion to see if someone's a fit.

My camera is broken

This seems to be the classic commonality in a lot of remote candidate interviews. But apparently, only about 10% of digital cameras fail. So this should be a red flag.

So we started the interview with someone who supposedly is an Irish citizen that grew up in Japan. Sadly, we don't speak Japanese so we couldn't test that, but with supposed fluent English, we went forward. The candidate had trouble answering our questions, and repeatedly gave an answer of "personal reasons" when we were asking "how long" questions. OK, so, not fluent English.

Next, about 20 minutes into the interview, we had an "interruption" and lost connectivity. We started hearing repeated "Hello?" from the other end, and then, the line reconnected but with a much different voice at the other end. With no video, we can't say for certain, but it definitely sounded like a different person.

Time to start our own investigation...

Here's the candidate's code "repos":

Are these repos real...?

This is a candidate for a full-stack developer job in cybersecurity, and the focus of the repos is on NFTs, Blockchain and crypto. What does this align with? North Korean hackers trying to infiltrate US firms, mostly crypto, but also cyber. So let's dig into the code commits to see what we find:

Code commits align to 1:40am-1:45am Irish time, which is... normal daytime in Korea
"fake commit" isn't trying very hard, is it?

How about the recommendations on the CV?

"Richard" was not the name on the CV. Also, how about that lorem ipsum?

We had a few additional things we found, like:

  • The picture on the CV was also found on a stock image site, with minor modification. In our case, the CV photo was a stock image with a different color sweater photoshopped on top.
  • We got 2 more similar CVs in the next couple of weeks, presumably checking if we could be fooled.
  • The skills claimed on the CV, GitHub repo and email cover letter didn't match. For instance, the GitHub page had a GoLang repo, despite the CV not listing GoLang.
  • They claimed experience in Figma from a time when Figma did not yet exist.

Lessons learned

It's pretty simple, really.

  • Require video for the interview. Whether phone, laptop or iPad, if you're going to hire someone who has access to critical systems, this is very important.
  • Do some research on your candidates' public profiles, code repos, etc. After the interview, most of what we found here took less than 20 minutes or 3 clicks to uncover.
  • If you're interviewing someone who speaks another language as their mother tongue, maybe learn an intro phrase and throw that at them to get a reaction and response.
  • Do a quick reverse image search of the headshot on the CV, if you get one.
  • Be cautious.