Inquiry uncovered remote IT worker's use of stolen identity, potentially tied to North Korea

Securities, data, cyber

CRA’s Forensic Services experts were engaged to investigate a remote IT employee, whose actual identity became questioned by management when a local police officer by the same name showed up to the corporate offices, alleging identity theft. We conducted a combination of public records research, a review of our client’s hiring records and processes, remote collection and digital forensics analysis of the target’s computer, and document metadata analysis. We concluded that the company’s remote IT employee had used a stolen identity to get hired and was potentially operating as an agent of the Democratic People’s Republic of Korea, as part of a sophisticated scheme to evade US and UN sanctions. Our work helped the company mitigate its exposure by using a risk-based approach to successfully separate from the bogus employee, engage with the FBI, and:

  • conduct enhanced due diligence on similarly situated other employees/contractors
  • perform a code review to mitigate risk of ransomware injections
  • strengthen ongoing monitoring capabilities of employees/contractors
  • bolster defenses against the inappropriate exfiltration of valuable information
  • reduce the risk of remote access tools being launched in ways that could circumvent the typical requirement for administrative privileges
  • prepare to better respond to ransomware and other cyber incident response situations

The engagement was co-led by Kris Swanson, Vice President and Forensic Services Practice Leader with invaluable support from Patricia Pelaez, Principal, Pete Stavroplos, Kaya Overholtzer, Naciye Celebi, Zach Tingle, Ashley Adams, and Jessica Harvey.

Meet our team