CRA’s Forensic Services experts were engaged to investigate a remote IT employee, whose real identity became a matter of significant concern.
We conducted a combination of public records research, a review of our client’s hiring records and processes, remote collection and digital forensics analysis of the target’s computer, and document metadata analysis.
We concluded that the employee had used a stolen identity to get hired and was operating as an agent of North Korea, as part of a sophisticated scheme to evade US and UN sanctions, while further supporting its illicit weapons program.
Our work helped the company mitigate its exposure by using a risk-based approach to successfully separate from the bogus employee and engage with the FBI.
To better mitigate the risks revealed during our investigation, the company also retained us to:
- conduct enhanced due diligence on similarly situated other employees/contractors
- perform a code review to assess the risk that the remote IT employee had injected latent ransomware
- devise enhanced monitoring capabilities re: key employees/contractors
- recommend ways to reduce the risk of inappropriate exfiltration of confidential information
- advise on methods to prevent remote access tools from being launched in ways that would circumvent standard controls such as a requirement for administrative privileges
Collectively, these actions helped the company harden its environment and prepare to more effectively respond to future insider threat and cyber incident response situations.
