North Korean Infiltrator Caught Working In Amazon IT Department Thanks To Lag

An anonymous reader quotes a report from Tom's Hardware: A North Korean imposter was uncovered, working as a sysadmin at Amazon U.S., after their keystroke input lag raised suspicions with security specialists at the online retail giant. Normally, a U.S.-based remote worker's computer would send keystroke data within tens of milliseconds. This suspicious individual's keyboard lag was "more than 110 milliseconds," reports Bloomberg. Amazon is commendably proactive in its pursuit of impostors, according to the source report.

The news site talked with Amazon's Chief Security Officer, Stephen Schmidt, about this fascinating new case of North Koreans trying to infiltrate U.S. organizations to raise hard currency for the Democratic People's Republic of Korea (DPRK), and sometimes indulge in espionage and/or sabotage. Schmidt says that Amazon has foiled more than 1,800 DPRK infiltration attempts since April 2024. Moreover, the rate of attempts continues apace, with Amazon reckoning it is seeing a 27% QoQ uplift in North Koreans trying to get into the Amazon corporation. However, Amazon's success can be almost entirely credited to the fact that it is actively looking for DPRK impostors, warns its Chief Security Officer. "If we hadn't been looking for the DPRK workers," Schmidt said, "we would not have found them."

duh!

[oldgraybeard]

""If we hadn't been looking for the DPRK workers," Schmidt said, "we would not have found them."" and he makes the big bucks!

Re:

[Anonymous Coward]

While ignoring the fact that Amazon hired this person.

Re:

[PPH]

I hope this counts against Amazon's H1-B allotment.

Re:duh!

[NotRobot]

Not to play the devil's advocate, but a key fact about security is that there no 100% preventative security, nor will there ever be. Even if you could somehow manage it, it would be prohibitively expensive and would probably stop your core business processes. So something will always slip through the cracks and you need to be prepared for that. In fact, this second layer of controls - how reliably you can catch anomalies and how swiftly and efficiently you can react to them - is even more important than your preventative controls. It is also something that tells people whether you are a true security professional or not.

In this case, they had obviously recognized the risk that a foreign agent might get hired since they had implemented detective and corrective controls for it. The controls worked. That's really security risk management 101: identify risks, evaluate their likelihood and impact to determine risk level, then identify and implement controls to bring the risk to an acceptable level. Judging by this story, it seems to me they actually did a pretty decent job there.

So why not implement controls to prevent the hiring of foreign agents in the first place? Point 1, it could be too expensive, laborious and difficult. Your opponents are always finding new innovative ways to target the weak points and blind spots in your business processes. The recent AI tools are only making their job that much easier. But point 2 is the much more relevant one in the corporate world. No listed company I know of has given their CSO or CISO a carte blanche to do whatever they wish and dictate how the other CxOs should conduct their business. In the real world, every CSO and CISO needs to negotiate with the other CxOs, and their security concerns and initiatives regularly get overruled by the CEO in favor of the other party since most CEOs think business first, then leave it to the CSO to secure it. It's not an easy job, it's like "Well, we decided to build a paper ship. It was really the most cost-effective choice. Now it's your task to see to that it will cross the Atlantic safely." (Been there, done that, although not literally of course.)

Oh, did I say no listed company know? Actually - I can think of one pretty well known listed company that has done exactly that, given their CSO a carte blanche to overrule any business decision. But just one company (and I'm not at liberty to name it).

Re:

[rickb928]

My long-time corporate employer used 3 network security teams, cooperating but competing...

One of course examined external 'threats'. Their definition of 'threat'? traffic. All incoming network traffic was a threat.

The next examined all internal 'threats'. Uh, they meant traffic, of course.

The third had several roles. First, they actively and continuously challenged both of the threat teams. A former team member regaled me with stories of copycatting a newly discovered vulnerability, hammering both teams as

elite it or slave worker

[tiananmen tank man]

any guesses if this infiltrator was hired because he was the best of the best or cause he was willing to work for peanuts?

Re:elite it or slave worker

[alvinrod]

A little of both no doubt. He's probably skilled enough to do the job if he's a government agent for North Korea, which is almost certainly the case. Their economy is so bad that even working for entry-level wages below his capabilities is more valuable than anything he could do in his own country, but realistically the willingness to work for less just makes it easier to infiltrate the company if he's trying to do something to make possibly extort the company for millions.

Keep in mind that the average North Korean generates about $1,500 per year in economic activity adjusted for purchasing power. Even taking an absolutely insulting salary from Amazon would increase his earning potential more than 50x. Even if the government isn't directing him to engage in any kind of additional subterfuge, he's still making them a lot of money in a denomination that's accepted practically everywhere and can buy just about anything.

Re:

[PPH]

Only applicant that didn't have a problem with working the graveyard shift.

Re:

[taustin]

If being willing to work for peanuts is the main criteria, he is the best of the best.

Never wouldve found them otherwise

[vistic]

I suppose another interesting way tech workers could catch if their coworker is working for North Korea would be to do something crazy like talk to and get to know their coworkers as human beings. But that would never happen.

Re:

[PPH]

All he has to do is to adopt the BOFH attitude. Nobody would dare get on his bad side by asking inane questions.

Crazy

[reanjr]

So this guy got hired entirely remotely? Like, I get working from home. But you're gonna hire a sysadmin you've never met? You can't afford a plane ticket for the final interview?

Re:

[silentbozo]

That would be my question. Who is fronting for this guy when he's required to go into the office?

Re:

[Retired Chemist]

Apparently, the answer is yes. For that matter, did they even do a video conference interview? I would think that the signal lag would have shown up there.

Re:Crazy

[PleaseThink]

No one has skimmed the article. There was a US-based women fronting for them.

Re:

[Anonymous Coward]

No one has skimmed the article. There was a US-based women fronting for them.

Read TFA? You must be new here. From TFA:

Amazon security experts took a closer look at the flagged ‘U.S. remote worker’ and determined that their remote laptop was being remotely controlled – causing the extra keystroke input lag. Schmidt emphasizes that good-quality security software was key to this investigation. It turns out that the DPRK had access to this Amazon laptop located in Arizona. A woman found to be facilitating this fraud on behalf of North Korean imposter workers was sentenced to several years in prison earlier this year.

Re:

[PleaseThink]

I guess you can read "this fraud" as either "this specific fraud" or "this type of fraud". I took it as she helped setup the Arizona laptop prior to getting arrested.

Re:

[bagofbeans]

So TFA stating "working as a sysadmin at Amazon U.S." is untrue. This was a remote worker working FOR Amazon, not AT Amazon. Okay, so two remote workers daisy-chained, one in AZ and one in NK.

Re:

[WarlockD]

Honestly this is a bit scary. I am sure the person who committed the fraud thought it was easy money and didn't think to deeply about it. I am worried about a more experienced actor making a partnership with the knowledge to make it work. It wouldn't be to hard to send keystroke batches to fix the input lag. It could be as simple as sending a batch of 50 or so characters, with one mistype where the mouse moves and fixes the mistype and goes back. During that second or so you could send another batch of

Re:

[alvinrod]

If he got hired during or around the COVID lockdowns it's not at all surprising. A lot of stuff moved to remote interviews and those are a lot easier to fake or to slip someone sketchy past any usual safeguards that might prevent something like this. All he needs is a stolen ID that will get passed a background check and he just needs to pass an interview. The NK government would ensure he's trained well enough to do that.

Re:

[rsilvergun]

I think it's much more likely these companies know damn well they're hiring dodgy employees and they just don't care because they are cheap.

For decades companies have used plausible deniability to hire illegal workers it just makes the news because it's North Korea. Normally though we all just look the other way and pretend like nothing happened

Re:

[XopherMV]

If this guy's backed by the North Korean government, he likely could get a fake passport and tickets to fly to the US. They just need to provide solid "motivation" for him to return.

I want to know what sort of background check Amazon runs against foreign nationals. Are they doing anything to validate job history or education claims? All that information is verifiable for citizens. This guy's story tells me they're not doing much of anything to verify the resume of foreign workers. This tells me that for

Re: Crazy

[liqu1d]

You'll probably find someone was fronting for him. There's been numerous cases of laptop farms where the worker appears to be a US citizen when it's just the case they've rented out their IP/details for a kickback.

Re:

[ebunga]

Don't worry. There are home-grown disgruntled employees that could cause a lot of damage on their way out. But really, I'm not too concerned about that. There are enough spies working at the cloud platforms that nobody can get any espionage done without showing their hand to a competing spy. The real problem is when they replace a load-bearing Perl script with "secure" and "high-performance" Rust code that nukes all data in one go.

Well

[liqu1d]

North Korea or Comcast...

lulzsec

[invisiblefireball]

Meaning, we are quite likely infiltrated seven ways til Sunday and just aren't recognizing it yet

When will they learn...

[jedwidz]

When will they learn that the American LPBs always win in the end?

More Than A Ton

[PleaseThink]

Everyone knows Amazon is very metrics driven. They must be doing a fuckton of employee data mining to have these types of data points to look at.

How?

[SlashbotAgent]

How does one measure keystroke latency on a network? Is there an off the shelf security system/firewall that does this?

How do they view me when I'm suffering poor cellular service and my key strokes are pushing towards 1,000 milliseconds and I'm wanting to smash my laptop?

Just hire them.

[kaatochacha]

Place the spy user in a walled environment, make him work on the dumbest, most horrible things, constantly have his work crash/backups disappear/ things change, and somehow have problems paying him his salary until he finally quits.

A freaking SYSADMIN from North Korea???

[gweihir]

Why are we even trying to secure stuff? With hiring processes this extremely broken we could just hand them everything directly.