A Trojan Horse - Hiring Malicious Actors - Shut The Backdoor

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:03):
Welcome to Shut the Back Door brought to you by Redux.
Shut the Back Door is a healthcare security podcast dedicated
to keeping health data safe one episode at a time.
This episode, we're going to talk about a Trojan horse
hiring malicious actors. And joining us for this
episode is Matt Mach, the chief information

(00:26):
security officer at Redux, and Megan McLeod, the
senior security engineer. Welcome, Matt and Megan.
Thanks, Jody. Thanks, Jody. Okay. I'm going to admit
when I saw the topic for this episode, I said,
no. That that doesn't really happen. I've been assured
it does, and I am looking forward to finding out more.

(00:49):
So hiring malicious actors. So, Matt and Megan,
this really happens, like, people are hired that just have
intent on doing bad stuff? Yeah. It's pretty crazy, Jody.
This really came to light around, like, 2018.
But over the past, like, eighteen months, it started to get a lot more
attention. And I think that some of the high profile companies that this

(01:11):
has happened at is some of the reasons why.
Basically, what these are are people that are
might not be specifically malicious when they are hired
originally, but they're kinda like fake candidates, if you will, when they
come in. So they're pretending to be somebody else. Usually, stolen
identities are used, and they're looking to get hired at a

(01:33):
company for one of mostly basically
three different motives for it. The main one is
financial gain. So they are trying to do their job,
make money, and then they'll send that money back to the
country who is supporting them. Most times, this is North
Korea that we're seeing. There are Chinese actors and

(01:55):
and Iranian actors doing this as well, but the the most
likely that will be encountered is the North Korean actors who are doing
this. So they'll take their salary. They'll actually do their job.
They may not do it very well, but they will do a job. And they
will send, like, 90% of their proceeds back to North
Korea to fund programs such as, like, their nuclear weapons program

(02:18):
and things like that. Some other intents that people may
have after they start working there, sometimes they do want to
get credentials. They wanna get access to someone's network
and then either do something malicious down the road.
They may try to extort the company later on. They may try
to exfiltrate data and extort the company, or they

(02:40):
may try to just do harm or also espionage
and get information and take that back to their home country as well. So
the main reason that what we're seeing is mostly the financial
gain on these. Some of the numbers I think Mandy and
Ted came out with a report recently that said that
there were dozens of these actors hired by Fortune

(03:03):
100 companies, and there's a Department of Justice
report out that put the number of funds
that were taken back to, like, North Korea in the hundreds
of millions of dollars. So you assume that there are, you
know, hundreds or thousands of these folks who have been hired
throughout the country in various roles. Most times, you see these

(03:25):
in IT roles that are all remote,
obviously. They're not they're not gonna be an in person job. These are
gonna be remote roles there. So it it sounds like
most of the malicious actors are remote. And
this this probably includes not only employees,
but contractors. Right? So that there's another area we have to look out

(03:47):
for. Yeah. And they're targeting higher paying
jobs as well because since since financial motives
are a big part of this, it's looking for roles that'll
be some form of engineering or other areas that are going
to pay well. So they're getting in
these remote positions, utilizing, like, Matt said credentials or

(04:10):
stolen identities, and sometimes even working with people in The
States who are actually active participants. So they don't necessarily
have to steal their ID. They're just using them as
a gateway to this company when they're getting
hired. Yeah. That's some good points, Megan. The the
working with people in The States is usually a

(04:31):
key to these, like, scams that they're running.
There's usually somebody in The States working with them. They may be
even running a laptop farm, so that's where when they get
equipment sent to them, I will go to one of these, like, laptop farms and
that they will then remote into those devices from the other
countries. Also, people involved in getting the equipment,

(04:53):
installing the software for them. But, you know,
almost always there's somebody involved in The States helping them because of
that physical asset that they need. Not always the case,
because sometimes there is remote access without having to ship
somebody hardware, which that makes it a little bit
easier for these actors to take advantage of. But they have

(05:15):
a good scheme worked out that when you do have to send them
something physically, it's gonna go to a legitimate address. Somebody
is legitimately gonna be there, and they're gonna take it. But that's
also, which we'll talk about a little bit later, some opportunities
to detect that this is going on. Yeah. And, like, with those laptop
farms, I mean, just just picture there. They literally have

(05:37):
tens of however many, hundreds potentially, of laptops just sitting in
their house or sitting in a warehouse somewhere, as Matt was saying, to have
a states based actor helping them.
This is I'm already learning. This is more organized
than I thought it was. I this is pretty incredible there.
There I said I didn't I wasn't aware of this before. Are

(06:01):
have there been any high profile cases
or things that have made the news that that you can point to show
what's going on with this? Yeah. There's been a lot of press
around this recently. And one case that the
company came forward and actually did a great write up, I
think they did some webinars around this as well to help other folks, was the

(06:23):
company KnowBe4 had hired and detected, you
know, one of these actors. And that was probably
one of the most, high profile lately. And they did a great job
of reporting on that and helping others to
determine if they may have run into this, and I think it brought a little
bit of light as well. But also these reports by a

(06:45):
lot of the security firms out there, like Mandiant, Unit forty
two, they've come out with reports in recent months as well
to to really highlight some of these cases. And I think the
work that is being done around investigating them is getting a lot
more attention now as well. But I Meaghan and I had talked about
this before. We think there's a lot of of

(07:07):
confusion around this as who's being targeted, that you must be this, like,
massive organization to be targeted, and that's just not the case. Like,
anybody who has remote jobs or uses remote contractors
can be at risk for this stuff. Even here at Redux,
we've confirmed we've seen these candidates come through our
pipelines as well. So this is not just a huge

(07:30):
Fortune 100 problem. These are definitely happening
across the org. And specifically in health care, we're hearing and
seeing more of these all the time that are happening as
well. Yeah. But something actually I was thinking about, Matt, I was
wondering from the health care perspective, when you get employees like this,
obviously, with any company, you don't want to have fake employees

(07:52):
and and people, potentially malicious from other
countries. But with health care specifically, there's also a
compliance element. Right? So if they have access to PHI or
any other kind of health care data, a lot of that is very strictly regulated.
So I was kinda thinking about the implications of if someone in health care is
hiring someone who is actually working in North Korea,

(08:14):
say, there's a whole other side of issues
that would then be caused by that. Yeah. That's totally
true. And there's also probably some interesting discussions
about, like, well, if they're not technically in The States, but they're accessing
it remotely, where do those lines fall? But 100%,
like, what what did they access? What data did they take?

(08:37):
If you are someone who has hired one of these, you know, you're gonna have
to treat this as an incident really and and go through and determine
what they accessed and what happened to that. And it's, you know, definitely
not a good situation to be in, and you're retroactively,
you know, trying to respond to this and also make sure that you
might not have anybody else that's compromised that was hired along with this,

(09:00):
you know, particular person or persons. Earlier, you
said that financial was the biggest motive, that they're
sending money back. But just now, you you mentioned
data that might have been compromised. So is that also a motive
that they're taking data? Yeah. And I think it's
speculated that we're gonna see more of that come up because

(09:21):
of the value around, like, health care data,
for instance. So for the most part, it seems like
they're happy collecting a paycheck, sending that money back, and chugging
along as long as they can. However, if they are found out or suspected that
they're found out, that can be a secondary, you know,
motive of theirs to now try to get more money, especially if they

(09:44):
haven't been there very long and maybe they haven't, you know, collected a ton of
salary from from the company, or that's just their exit
strategy to to try to extort more money on the way out, knowing
that they've had access to all of this data for quite
some time. They know the value of it, and they've had, you know, plenty of
time to to move that data. Yeah. So I still view it somewhat

(10:06):
as a financial motive. It's just the means
for getting that financial gain might be
a little different. So, like, not what I'm saying, a higher payout might occur
if they do have that access and they do exploit it because of the value
of data, especially in health care. Yeah. That's a good good way to look at
it. It's still a financial motive. It's just the way you go about it. So

(10:27):
now that we understand this is a problem, and
if it's a remote worker, you never know. You're always at risk. So
how can we prevent this? And if we're hiring, what should
we be looking for? Yeah. Great questions, Jody. And I think
with with any hiring process, this starts with
the application and then usually, you know, through interview

(10:50):
process before anybody gets to a point where, you know, you
would be doing, like, your typical background checks and stuff like that, which we'll
talk to. But, really, in the interview process itself,
even when you're looking at applicants, I think the
biggest thing is if if it doesn't look right, you know, bring that
up, contact your if you're working in HR,

(11:12):
you know, contact your security department, raise that up,
or, you know, maybe just pass on that particular candidate if something doesn't
doesn't seem right. We've definitely seen that where, you know, what it is
is just not completely clear, but you're just
getting too many red flags there. So it may just not be the
risk or worth the risk rather. Some of the things to look out for is

(11:34):
once you get to that point of where you're actually interviewing this person,
especially for remote jobs, they're gonna be on some sort of video conferencing, and
that's a great way to start looking for some telltale signs.
One of those is they won't be on video or frequently have to turn off
their video can be assigned. Most times, they're gonna be using
a background as well, and that's you

(11:57):
can look forward to to see if there's oddities going on at the
time. So a lot of times, someone will accidentally walk behind them
or they might move and it'll expose that they're in a call center or there's
a bunch of people behind them or something like that. So that's a good way.
Also, if they don't have that background or if they even if they do and
it and it gets a little exposed, pay any attention to the time zones, like

(12:18):
where are they supposed to be and what's going on behind
them. So I've seen this before too where the person is saying
they're from one state, and then clearly in the background, you can see a
window and it's dark outside. But you know the time of day, it should be
daylight, so things aren't matching up there. Sometimes they might
change locations or they've even noticed to swap out

(12:40):
people for the interviews. So looking for those those signs
of, like, this doesn't match up, it doesn't look right. There are
cases now they're starting to use, you know, AI to
match the video to overlay people on, like, actual
stolen identities, so kinda merging this fake person
with a real person out there. You see this a lot with, like, LinkedIn

(13:03):
profiles and things of that nature already. You know, those
are a little bit harder to identify, but they
usually don't do them great. So there's a lot of tells if you're just looking
at the person and things don't look right, you know, if things aren't moving,
like, naturally to them or or maybe they don't wanna move or
the background just seems a little off. We can always take those opportunities too

(13:24):
to try to ask some questions to get them to, you know, give
more info on where they are, like, what's going on at that time, and you
just ask some some some questions to try to get some more info
information around those pieces. Yeah. And touching back on, like,
LinkedIn, for example, a lot of times, people who
are fake candidates or creating these profiles, you

(13:46):
can look at their Internet presence, and a lot of their
Internet presence will be new. So if you're looking at LinkedIn, for
example, and they haven't they it looks like they created their profile
a couple months ago, or they have a GitHub that is also very new
or a website that was just started up. So there will be a lot of
a lot of very new elements to their Internet presence

(14:08):
that might not be as well established as someone who who is actually
in the industry and has the experience that they're claiming to have. Yeah. I think
with that is having a good process, working very closely
with HR, and I think that's one of the keys too is security and
HR need to be on the same page about this, that this is a problem.
And everybody in the hiring pipeline should

(14:30):
really be looking out for this because it's every person that
touches a candidate is a chance to pick this up
before someone gets hired. So if your hiring managers are aware
of this problem, if your recruiters and those others in
HR are also aware and trained, it gives you a, you
know, a greater advantage to try to catch this throughout that. That's

(14:52):
something that that we do throughout. Like, we train and and keep
everybody in that hiring pipeline up to date on these
particular threats, things to look out for, and train them around that
so that it just gives us more eyes on it. And knowing also
that if there's anything that doesn't look right, that they should come to
security, and then we can do an investigation on that that particular

(15:14):
candidate and try to, you know, vet them out and see. There's also a
great amount of indicators of compromise being
shared out there in groups like your ISACs, like H
ISAC, that are very helpful to you. So you can take that information
and see if the addresses are showing up. So we talked
about earlier about these, like, laptop forms that they're running

(15:36):
or just addresses on the credentials that they're using.
So as that stuff keeps getting used, it can be shared out so others can
then use that to look to see if there's anybody in their pipeline that matches
that that indicates that they're, you know, a fake candidate or somebody
that came through. And also after the fact too, if
you're sending out to, like, a weird address, you can run it through those and

(15:58):
see if anything matches. But those are also good good ways to
look up. But with the address too, if the person
is claiming they're from, like, say, Texas and then
they do get hired and they want their stuff shipped to New
Jersey, that's a big red flag. Like, why why would you ship this
stuff to a different location? And I'm sure they have a great reason for it,

(16:20):
and there'll be a bunch of, you know, excuses around it. But those are the
type of things even through the the interview to look out for, just things that
don't seem right. They're supposed to be from here, but the information doesn't
completely match up. Or you can even ask them about things in that
area, which obviously is easy for people to use. You know,
search and use AI to get those answers from it. But it's kinda how

(16:42):
they respond and, you know, how quickly they can get those answers.
I've never worked in the security
space as you do, but I I've hired people and
this has never crossed my mind. So if you have
now got me aware and concerned enough to
say, okay. I I want to and I'm a hiring manager

(17:05):
and I wanna make sure I'm on top of this. This doesn't happen. If
as a hiring manager, if I go to the security team, what should
I ask about? If I know nothing yet, what should
I ask about to the security team to make sure that
we're partnered together and I'm looking for the right things? Yeah. I I think
one of the things to to ask for is to get details on, like,

(17:28):
what they can do, what are what are others
reporting so that they can know what to look for, what
specifics, what names are being used, you know, what are the
signs that other people are reporting, sharing pictures.
That sort of information is out there to give them some ideas and kinda walk
them through. And I think also giving them pathlines

(17:50):
here, if you see this thing, here's the right path
to reach out to security so that we can help you, you know, make a
determination on this candidate, especially if it's someone who's far
along in there because it's it's not unheard of where
they'll switch out candidates along that pipeline. Again,
especially if they're using, like, this blended AI and stuff like that, they

(18:12):
can swap some folks out for different interviews. That's also where you're
probably gonna see the cameras go off because it's not exactly the person
out there. Things like that will start popping up. So given those
indications of, like, if these things happen, what should I do? And
then security can give them some insight into what else to look
for. Yeah. Because there are even things where people's information

(18:35):
starts to change a little bit. Like Matt was saying, if people are switching out
candidates throughout the hiring process, you might see them
do something like misspell their own name or misspell the
city or, like, state that they live in or change. Like, they
forget that they had mentioned that they're in Dallas, and they accidentally say they're
from Austin. Different things like that where they're just subtle changes,

(18:57):
those are things that everyone can look out for regardless of when in the
hiring process that's occurring. So I think also another thing for
Securie to talk to HR about as well is, you know, these
candidates are not gonna do as well with, like, cultural questions,
like, as far as company culture. So those are also things. If
you're throwing like, the technical questions are easy for them to come

(19:20):
up with or, you know, their background and things like that. But if you
talk about, like, your culture, those are the things that are harder for a fake
candidate to come up with because they're not a real person. They haven't really
worked at those companies. So they probably don't know as much about, like,
your company culture. So working in some of those questions can help, you
know, bring those things to light as well. Well, we've

(19:43):
talked about the questions and the things to look for.
Are there any technical solutions when it comes to interviewing?
Yeah. So there are a couple of things you can look out for.
Just kind of the you must say, like, the easy way right away
is if you're suspecting somebody, yeah,
is not who they're saying they are, working with the security team to try

(20:06):
to pull information from whatever conferencing solution
you're using to see where that person connected to. So if you have that ability,
you could see what their location looks like or what their IP
says and see if that matches up or or maybe it's showing that
it's, you know, one of the the known VPN IP ranges or
something like that that just doesn't match up. A lot of times, just not matching

(20:28):
what a person's saying is enough to be like, this doesn't this doesn't seem right.
We'll just move on from this candidate. There's also some other
technical solutions. We're actually working with one
company that we're hoping to bring on for a future
podcast to help early on in the candidate
pipelines to raise awareness that if

(20:50):
somebody is not who they say they are, but also give you some options
throughout that pipeline to do some additional steps to
help vet them out. So you can try to weed out some of those candidates
early on, but if some of them get through there and you're still
not totally confident, you can give your hiring team some more data
to be able to make those decisions and up until the

(21:13):
person's actually hired. So we mentioned before, like, background checks. You
know, that's something that everybody is doing now. I would hope
that there's no company not background checking anybody, but that
information can help, especially if they're contractors. Sometimes there
are contractors that people don't background check and don't
take all of the necessary steps like you do for someone being

(21:35):
hired. Doing as many of those as you can for
contractors as well is really important because they're also
gonna have access to systems. And especially if it's anything
of a sensitive nature, you know, they should be going through the the same sort
of hiring process, but that can help expose
those oddities for you. And then the level of the background check because you have

(21:56):
to remember that they're using identities from real people.
So that's where, you know, a very simple background check
and just can come back, you know, past might not tell you the whole
story. These are all legitimate identities that are being
used out there. They're gonna be using, you know, either there are gonna be,
you know, fraudulent documents and things of that nature, but you can also

(22:19):
when if somebody takes a picture of their, you know, driver's license,
for instance, and the names might not match up to Megan's point
before. You might see some little things like that or or the signatures are
way off or something to that aspect to to look for. But just keep
in mind that a background check itself isn't is not going to
be the end all end all to this because they are using

(22:41):
legitimate people's information. What if someone
actually makes it through the process and gets
hired? Now what? So like we mentioned, there there that
does happen. Like, that I'm not gonna say that you can totally prevent
it all the time. I mean, ideally, if you are looking out for all of
these steps and you have this advanced knowledge about the

(23:03):
issue, you can prevent it from happening. But like Matt mentioned earlier,
a larger company KnowBe4 fully came out and admitted that they did
hire some one of these actors. So there
are several things that you can look out for. Some of the things
are just what like, we've been talking about getting on
a conferencing call and showing their face. If they're

(23:25):
very against being on camera, that could
be an issue. Now there is like, company culture can kind of
vary within that. So if if you are kind of a camera off group,
that's fine overall. But when you're in the early stages of someone
being hired, it is good to try to be on camera with someone
somewhat regularly because, like we've talked about previously, they can

(23:48):
switch out people at different points. And if you notice that someone looks
different than they looked when you were hiring them, that would be an
obvious red flag. Or like Matt had mentioned briefly, if they
ask for their laptop to be sent to a different location
than they mentioned before, they might say, like, oh, my mom's sick, or I just
got engaged, and we're on a trip, or whatever it is. But they they might

(24:10):
ask for their laptop to be sent, sometimes even to, like, a PO box or
so not an actual address, different things like that. So I've seen, like,
some companies talk about having an ID required for that
pickup or drop off so that they can match the IDs against each
other so that those are the same. But there are just a few different
things like that to look out for. Yeah. And to

(24:32):
add to what Meaghan was saying, yeah, from a security standpoint,
there's a lot of things that you should be doing already to look for
odd activity, malicious activity that's going on. So they're looking
for oddities with logins, you know, where is this person logging in
if anything does pop up that's, you know, not where they're supposed to
be or logins from multiple places within, you

(24:55):
know, a small amount of time could be an indicator. And the
IP is just in general to you. Are they are they logging in with
VPN related IPs that are they're not supposed to be using?
Remember, they're gonna be logging into the laptop that you actually sent,
but it's gonna be through some remote means that they're doing that. They're
not physically sitting there. So another way is to, you know, keep

(25:18):
track of what software is running on those those
devices and watching for things to get installed
that you don't use. So you're probably gonna use some sort of, you know,
remote monitoring software, some sort of remote desktop
software, stuff like that. So if there's something that goes on that is
not part of your standard toolset, like, that should be raising

(25:40):
flags already. But even in these cases, it's even more of a red flag to
say that, you know, why is this happening? And, you know, most likely, they will
slip up and and something will occur there that will give you the the data.
You just have to be looking out for it that, you know, maybe, you know,
they didn't start their VPN correctly or something that
aspect or, you know, maybe they they clicked wrong or typed

(26:02):
information somewhere that they didn't mean to, and now
that's giving away, like, their location. So that's something to keep an eye
on from the logs, especially with third party and contractors that you
might not have as much insight into, just having a little extra
eyes on their accounts and their information, especially when they
start out to see if it's matching what you're expecting there.

(26:24):
Yeah. And there are even somewhat more minor seeming things
like changing the language on their laptop
or something else, if they've said that they were born and raised
in The United States and they they speak English, but then now they change
their language to North Korean, for example, then
that could be a potential thing to look out for, especially on top of

(26:47):
any of these other indicators that Matt was discussing. Yeah. Some
of those that Meaghan alluded to earlier, like, being off camera,
you'll you should start to see stuff like that where they might have connectivity
issues. So they, you know, might be on a call and
they drop off, or they can't join a meeting because they'll say they have connectivity
problems, or stuff like that will be just kind of status quo

(27:10):
for them. They won't, you know, be on every meeting, perfect connection,
always on video. There's gonna be things that just don't stick out.
Again, they're they're doing the job either maybe not themselves that
there's a lot of cases where they're using, you know, forms
of people to do the work, and then they're funneling it through, you know, one
person. So you're not not going to get, like, world class

(27:32):
elite work done here, but they're not going to be super terrible. So
they're just trying to fly under the radar, right, and they're just good enough to
stay employed, keep getting that money. In some cases, they might be better if
they're trying to get specific type of information. Right? They'll put
more attention and resources on it if they really want to get to
another goal other than just getting the paycheck and sending that back.

(27:55):
And, of course, when that's the case from a security standpoint,
that's when having detection systems really honed
in on your internal network are super important because this
person's already through the gates. They're now inside. This is a
true insider threat for you. And if you don't have detection systems
set up to look for those oddities in

(28:17):
what a role is doing, they're normally not accessing these systems and now
all of a sudden they are. You know, they're poking around the network to try
to find where things are that they shouldn't be. Those are the key indicators
that something's up with this particular account. Well, this has
been a fascinating discussion for me. I know I learned a
lot. Hopefully, you did as well. You can join us next

(28:39):
episode as we discuss more security challenges
impacting health care and practical ways to address
them. You've heard Matt and Megan talk a lot a lot about
practical ways to address this topic this episode,
so you'll get more next time. So, Matt and Meaghan,
do you have anything for us as we wrap up this episode?

(29:01):
Just like to remind folks if they have any suggestions,
any topics they'd like us to hit on, any feedback, or
wanna chat about this particular topic, you know, feel free to to reach out to
us, and we'll have a link in the show notes as well
to a form that they can submit topics or any
suggestions there. Yeah. We'll also have some of these resources

(29:24):
that we've talked about linked in the show notes as well. And don't
forget to lock the back door.

All Episodes

A Trojan Horse - Hiring Malicious Actors

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

24/7 News: The Latest

Crime Junkie

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}A Trojan Horse - Hiring Malicious Actors