North Korean IT operatives are leveraging deepfake technology to fabricate synthetic identities for online job interviews, aiming to secure remote work positions. This tactic is part of a broader state-sponsored employment scam designed to infiltrate organizations in the US and globally for malicious purposes.

Rising Threat of Deepfake Technology

Recently, both talent acquisition and cybersecurity communities have observed an increase in job applicants utilizing real-time deepfakes during interviews to conceal their true identities. Researchers from Palo Alto Networks' Unit 42 highlighted this trend in a recent blog post. They discovered that creating a real-time deepfake requires minimal effort, taking just over an hour with no prior experience, using readily available tools and affordable consumer hardware.

Case Study Insights

Unit 42's investigation was prompted by a report from the Pragmatic Engineer newsletter, which detailed how a Polish AI company almost hired a non-existent individual after encountering two deepfake candidates. Interviewers suspected that these "candidates" were deepfake personas crafted by the same individual.

  • Logical Evolution: Unit 42 researchers concluded that deepfakes are a natural progression of a well-documented fraudulent infiltration scheme by North Korean IT workers.
  • Advanced Methodology: These operatives have enhanced their infiltration tactics by integrating real-time deepfake technology.

The Deepfake Advantage

Utilizing deepfakes in securing remote IT jobs provides North Korean threat actors with two significant advantages. Firstly, it allows a single operator to interview for the same position multiple times using different synthetic personas. Secondly, it helps them evade detection and avoid being listed in security bulletins or criminal wanted notices.

This technology enables malicious actors to better disguise their activities from organizations seeking to hire them, increasing their chances of employment and facilitating covert malicious activities while on the job.

Creating Deepfakes: A Simple Process

To demonstrate the ease of creating a deepfake, a Unit 42 researcher with no image manipulation experience used an AI search engine, a standard Internet connection, and a five-year-old computer. In approximately 70 minutes, the researcher generated several deepfake identities using images from thispersondoesnotexist[.]org, a site that allows the use of generated faces for personal and commercial purposes.

  • Minimal Requirements: The process required only basic tools and resources.
  • Virtual Camera Setup: The most time-consuming aspect was setting up a virtual camera feed for video conferencing software.

Detecting Deepfake Candidates

The use of deepfakes highlights the persistence and growing sophistication of North Korean state-sponsored actors in securing remote jobs at US and European cybersecurity organizations for cyberespionage and other malicious activities. In one notable incident, security firm KnowBe4 inadvertently hired one of these threat actors, only realizing their mistake after the individual installed malware on a corporate workstation.

Strategies for Identification

Organizations can employ several methods to identify deepfake identities during interviews. One approach is to exploit technical shortcomings in real-time deepfake systems, such as temporal consistency issues, occlusion handling, lighting adaptation, and audio-visual synchronization. These flaws can produce noticeable glitches during interactions with candidates.

  • Record Interviews: Human resources teams should record interviews for forensic analysis.
  • Identity Verification: Implement a comprehensive identity verification workflow, including document-authenticity checks and ID verification.

Security teams can further secure the hiring pipeline by recording job application IP addresses to ensure they are not from anonymizing infrastructure or suspicious geographic regions. Additionally, verifying that candidates' phone numbers are not from VoIP carriers associated with identity concealment is crucial. Partnering with other companies and Information Sharing and Analysis Centers (ISACs) to share and acquire data on the latest synthetic identity techniques is also recommended.

The link has been copied!