Search
 

Navigating Remote Worker Deception

Today we’ll explore the legal landmines that organizations face when uncovering remote workers connected to adversarial states like the DPRK. We’ll unpack critical questions about liability, disclosure obligations, compliance pitfalls, and sanctions risks—helping legal teams prepare to navigate the regulatory maze following remote worker deception discoveries.

Listen on :

Theme. DPRK-linked remote worker deception isn’t a “normal” insider threat. It spans HR, security, and legal, creating cross-functional blind spots and sanctions exposure.

  1. Why it’s more complex than typical insider risk. Adversaries exploit siloed hiring/onboarding (different teams, fragmented checks), making identity obfuscation easier and detection harder, especially post-COVID with distributed work.
  2. Sanctions and export-control landmines. Employing DPRK operatives, even unknowingly, can violate OFAC and UN regimes; payments may constitute “material support,” and export-controlled data access can trigger separate penalties. Strict liability raises stakes.
  3. First moves when you suspect a fraudulent remote worker. Contain access, keep the inquiry under privilege, and push for live identity verification (e.g., on camera) while legal, HR, and security coordinate a unified fact pattern.
  4. The payments dilemma. Continuing to pay can cause a bank to violate sanctions; stopping prematurely risks employment contract claims. Voluntary self-disclosure and a sanctions program can mitigate penalties and reputational fallout.
  5. Screening and re-screening. Do robust sanctions screening of workers, vendors, and facilitators; don’t rely solely on third-party EORs, especially non-US. Adopt dynamic screening (daily/monthly/annual) based on your risk profile.
  6. Tabletops: Practice the cross-functional choreography. Make remote worker deception a primary scenario (not a side quest). Build muscle memory across legal, HR, and security, and stress real decision points under time pressure.
  7. Communications discipline matters. Assume in-band tools may be untrusted if the suspect sits in IT. Pre-plan an out-of-band channel, avoid personal accounts, and keep decisions in a defensible system of record.
  8. Regulatory trajectory. Expect OFAC to emphasize risk-based controls and screening programs; multi-agency involvement can prolong investigations even in the absence of willful misconduct. This threat pattern is likely to persist and spread.
  9. Bottom line. Treat DPRK remote worker deception as a recurring risk: verify identity continuously, coordinate across functions, harden comms, and align with sanctions compliance from day one.

Navroop Mitter:

[00.00.03.15–00.00.30.11]

Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, armortext.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.

Navroop:

[00.00.30.12–00.00.58.02]

Today kicks off a special three-part mini series inspired by our recent Chatham House Rule event, co-hosted with Clear and T-Mobile. Over the next few episodes, we’ll explore different angles of the growing risk posed by remote worker deception, especially involving fraudulent IT workers affiliated with the DPRK. We’re starting the series by examining the legal complexities these threats create, from regulatory risks to sanctions exposure, with insights from Matthew B. Welling and Caroline E. Brown of Crowell & Moring. 

[00.00.58.04–00.01.20.00]

The series will culminate in our public webinar, Fraud, Fakes, and Foreign Threats: Identity Verification of Secure Comms in the Age of DPRK Remote Worker Schemes. If you’re tuning in after the webinar, you’ll find the recording linked in the show notes. Matt and Caroline, thanks for joining us today.

Matt Welling:

[00.01.20.02–00.01.21.18]

Hi, Navroop. Happy to be here. Thanks for the invitation.

Caroline Brown:
[00.01.21.22–00.01.22.19] Thanks for having us.

Navroop:

[00.01.22.22–00.01.51.06]

All right. Just a little bit about our guests. Matthew B. Welling is a partner at Crowell & Moring in Washington, DC. He has significant experience in cybersecurity, privacy, incident response, compliance, and regulatory matters. Matt has deep expertise in conducting tabletop exercises and advising clients across sectors on cybersecurity risk management. He also teaches at Johns Hopkins University and their Information Security Institute, and serves on Indiana University’s Cybersecurity Advisory Council, among plenty of other travels.

[00.01.51.08–00.02.16.01]

And Caroline E. Brown is also a partner at Crowell & Moring in Washington, D.C., with extensive experience advising on national security, AML, sanctions, compliance, and regulatory enforcement. Caroline previously served in national security roles at the DOJ, Treasury, and the White House, getting unique insights into sanctions enforcement, crisis communications, and regulatory frameworks impacting national security matters.

[00.02.16.05–00.02.44.12]

Matt and Caroline recently joined our panel at Clear and ArmorText executive event, and we’re thrilled they’re here to share more today. So, a little bit more about what we’re going to be discussing. Today, we’ll explore the legal landmines that organizations face when uncovering remote workers that are connected to adversarial states like the DPRK. We’ll unpack critical questions about liability, disclosure obligations, compliance pitfalls, and sanctions risks. The objective is to help legal teams prepare to navigate the regulatory maze following remote worker deception discoveries.

[00.02.44.15–00.03.00.08]

And with that, let’s dive right in. Matt, Caroline, these insider threat cases involving DPRK-linked remote workers carry a lot of unique legal risks. From your perspective, why are these incidents more legally complex than your typical insider threat?

Matt Welling:

[00.03.00.12–00.03.23.16]

Hey, Navroop. No, that’s a great question—a great place to start. These matters tend to be a lot more complicated for organizations that are facing them because they cut across a lot of the functional processes that companies have established, as they’re thinking about cyber risk and risk mitigation, as well as interacting with their workforce. And what the actors are taking advantage of is exactly that.

[00.03.23.16–00.03.51.11]

And the fact that a lot of modern organizations, these different issues are being handled by different teams. So, for example, during the hiring process, somebody who was on the way into a company may be dealing with a different team or different set of individuals, as they’re doing their initial screening interviews, as they’re going through their identity verification—excuse me—the I-9 process and that sort of paperwork. 

[00.03.51.13–00.04.21.07]

A different team or section of a team, as they’re doing their onboarding. And in another, is they’re getting their laptops or otherwise getting situated—kind of the IT environment. And, because a lot of the places that we see these workers come in are relatively low levels, that the organizations they’re targeting tend to have volume in these workforces, so it’s not the same individuals who are going through all these different steps of the process from the company side. 

[00.04.21.09–00.04.48.19]

And may not even be in that same seat from the company perspective, from prospective employer to perspective employee, that they’re interviewing, processing and hiring—excuse me. And that’s sort of where the actors are taking advantage, because it is easier to obfuscate their identity if different people are looking at you at different points along the way.

[00.04.48.21–00.05.14.07]

And because these processes have really grown up for organizations, especially larger organizations, to deal with the volume of employees that they are interviewing and hiring, it is not as much of a cross-functional exercise as it may have been when they were earlier in their hiring and, in a sense, scaling. Because of that, their internal processes may kind of continue to work in these silos instead of cut across, and it’s that cutting across and connecting those dots that is really key to picking up and identifying these actors where they’ve gotten in. 

[00.05.14.07–00.05.41.03]

And then similarly once they’ve been detected figuring out exactly kind of where the implications are for the company. And those are those are just challenges for a lot of companies monitor and especially with remote workforces in the post-Covid environment.

[00.05.41.05–00.05.47.22]

There are also a number of regulatory layers involved. I’ll let Carolyn jump in here to talk a little bit more about that.

Caroline:

[00.05.47.22–00.06.28.05]

Thanks, Matt. So, compounding this risk, companies also should be aware of the consequences of directly or indirectly providing money or aid to North Korea. So, from a sanctions perspective, employing North Korean IT workers, whether knowingly or unknowingly, violates both US and UN sanctions. So, engaging with these workers can trigger civil administrative enforcement by the US Department of the Treasury or criminal enforcement by DOJ for sanctions violations.

[00.06.28.07–00.07.12.10]

There is also the potential for export controls violations that could occur from allowing unauthorized access to ITAR or Export Administration Regulations-controlled data, which could also trigger a government investigation and potential penalties. So, any company, any individual that engaged in or supporting these workers, or this activity—again, either knowingly or unknowingly, as often the case may be—including processing related payments or other financial transactions, should certainly be aware of the potential legal consequences of engaging in that conduct.

[00.07.12.10–00.07.41.11]

And as Matt—as you were saying—sometimes the different structures within companies operate in silos. And so, one hand doesn’t necessarily know what the other hand is doing. And so, you’re thinking about potential disruption from employing these IT workers, but you also have to think about the consequences of what happens when these payments have been made, which ultimately may be going to individuals located in North Korea or to the government of North Korea itself.

Matt Welling:

[00.07.41.14–00.08.07.23]

Yeah, and I’ll jump in here. This is in addition to just the normal legal risk that you get with looking into any employee, right? There are labor employment laws. There may be union or other aspects of it. And some of that’s also going to vary by jurisdiction to jurisdiction, both where your company is located, where the individual is resident. And—don’t want to get out over our skis—neither one of us happens to be a labor and employment lawyer, but do want to flag that those are very real issues.

[00.08.07.23–00.08.29.22]

And part of the challenge here is how—at least when there is sort of an active issue, meaning that you have an employee currently employed, and it’s not sort of a historical issue where someone has come and gone—but in that active situation, the way that we often see these manifest is kind of one of two ends of the spectrum.

[00.08.30.00–00.08.56.02]

Either someone is presenting as just an underperforming employee, right? They’re doing just enough to kind of squeak by. That doesn’t, on its face, identify them as a North Korean or another fraudulent worker, right? It could be that they are just an underperforming employee. And with that, there are protections that may need to be mindful of, or at least the companies take care in investigating them, the same as they would any other underperforming employee, to protect that individual’s rights. 

[00.08.56.03–00.09.16.22]

Because we have seen, in some cases, that someone who set off some internal alarms for further attention really was just someone who was underperforming in their job. Right? It wasn’t a fraudulent actor.

[00.09.16.22–00.09.45.05]

The one that’s even a little bit more challenging we’ve seen in a few recent cases is individuals presented themselves as needing a little additional attention because they were grossly overperforming. And that manifested in that, in doing their jobs, these individuals quickly brought attention on themselves because they were operating at a level of skill that was far in excess of the credentials they presented themselves with in interview.

[00.09.45.05–00.10.07.18]

So, if you can think about all the sensitivities that go into investigating an underperforming employee, those are only magnified to some extent more. And then looking into someone who is overperforming. Right? In that case, they were just—it was somebody with a technical skill set that was much more advanced than the junior position they were in, and there are lots of variations of this.

[00.10.07.19–00.10.27.00]

Each circumstance is a little bit different. But we do want to flag that companies who are grappling with this that that is something that you need to be aware of, and that your HR teams and others, with legal, need to be involved in because ultimately, at least on moment one, you’re investigating an employee.

[00.10.27.00–00.10.41.04]

It’s a very rare circumstance that we’ve seen—that the immediate presentation as a threat actor. More often, it shows up as an employee that, for whatever reason, has attracted some attention—at least once you get to the screening process.

Navroop:

[00.10.41.08–00.11.09.10]

Well, let’s take this case where you really do suspect it’s a remote worker operating under false pretenses, right? Whether it’s because they were overperforming, underperforming—yes, it could just be case of someone doing better or worse than you’d expected. But let’s say you’re at that point where you really do suspect that’s a remote worker linked, whether to the DPRK or a different nation-state—what immediate steps should the legal team take?

Matt Welling:

[00.11.09.12–00.11.37.10]

In addition to calling some reputable outside counsel, which we mention not to be self-serving, but in our experience, in talking to others in industry, it’s really helpful to be engaging with someone who has been through this before. Whether that’s us—we have peers at other firms who have been investigating these matters for a number of years now. 

[00.11.37.12–00.12.15.06]

The touch and feel of these, we’ve found to be very helpful. But in terms of the internal legal teams or in working with your outside counsel, there’s going to be a balancing that happens because, as you know more, that is going to guide your decisions. For example, most companies will take kind of immediate steps to contain the risk, whether that’s turning off access for that employee, whether it’s asking that employee to make themselves available for additional questions, etc. Those are all gaps that we would expect companies are typically taking for any sort of potential insider risk.

[00.12.15.08–00.12.39.09]

But they’re especially important here. One of the interesting dynamics that we’ve encountered with these actors, in particular, is they often don’t act like the stereotypical kind of criminal actor or nation-state actor—that when they get discovered, they don’t sort of just burn it down and run away. Instead, we’ve seen the behavior—in many cases, they become very cooperative.

[00.12.39.14–00.13.05.00]

They really lean into creating an appearance of trying to be helpful, which can have a disarming effect on your internal team—at least in terms that, for those who haven’t been through it before, it can feel like maybe this isn’t a criminal, maybe this is just a bad employee. And that’s a strategy that’s being used by these actors, because what we should frame is one of the goals here for these actors, based on the DOJ and other public materials, is they’re collecting paychecks that ultimately go to the North Korean regime in that case.

[00.13.05.02–00.13.28.14]

So, in other actors who are starting to mimic these, it’s really to collect the paycheck. It’s that cooperation is a rational step to try to get to one more paycheck, or to get to some sort of severance package—whatever it may be.

[00.13.28.16–00.13.57.18]

But I do want to flag that, in many cases, we’ve seen them become very cooperative so that can disarm in what you want to do. And why it’s important, or at least why we’ve found to be very helpful to be working with others who have been through this before, is they can help carve through those behaviors. Some of the typical things that, just as a rule of thumb, we recommend—and we’ve seen others—is to try to get those employees on camera, to try to get those employees to interact in a more hands-on way.

[00.13.57.20–00.14.31.08]

Because, very often, these groups are resistant to that, especially at sort of impromptu moments. And that may give you a little bit more insight into whether this is a fraudulent actor. Right? If there are lots of excuses as to why they can’t get on camera, or why they’re logging in from a different place than where you’d expect—while not definitive—those are at least kind of factors that are going to keep the spidey senses going off that something here is amiss. But sort of bringing the combination of cross-functional teams here into play is going to be really crucial.

[00.14.31.09–00.15.01.17]

That’s going to be to have your legal team talking to your HR team, talking to kind of your IT and security teams, and all working together and sort of trading notes—ideally in a privileged investigation. But, in any case, to be trading information with each other and looking at this in a more fulsome way than as just an employment issue, or as just an information security issue, or just a privacy issue—to really get your arms around what’s going on.

[00.15.01.19–00.15.25.21]

The second piece of that, while that’s occurring and just trying to stop the bleeding or contain the risk, is also to start looking back at what was that employee accessing in—in the course of their job, were they doing other things, maybe outside of their job? Are you seeing data flow in an unexpected way—right—big chunks of data leaving the enterprise that were expected? 

[00.15.25.23–00.15.41.10]

Did they have access to sensitive systems? And really trying to understand kind of what the totality of the risk is starting to look like, while at the same time looking at the worker’s behavior—and does this lend itself that it might be one of these actors?

Navroop:

[00.15.41.12–00.16.10.13]

Now Matt, I actually want to double-click on something you started to mention, and that I know Caroline actually spent some time focusing on during our panel in New York. It’s about the paychecks and the severance packages, right? That financial motivation that these threat actors have to continue to engage. Caroline, from a sanctions and compliance perspective, if a company continues payments to a worker after suspecting a DPRK affiliation, what are the potential consequences? 

[00.16.10.13–00.16.16.18]

And on the flip side, what risk do companies face if they halt payments prematurely and they’re wrong?

Caroline:

[00.16.16.23–00.16.45.07]

Yeah, that’s a great question. And thanks for giving me the opportunity to respond to that. So just to take a step back, when we talk about sanctions, to level set. So North Korea—most of the audience probably knows—but North Korea is subject to a comprehensive embargo. And that means that no U.S. persons can have any dealings with the government of North Korea or to any persons that are located in North Korea.

[00.16.45.08–00.17.12.14]

And so the Treasury Department’s Office of Foreign Assets Control (OFAC) is the entity that administers the U.S. sanctions against North Korea. And as a sanctioned entity, North Korea is listed on the SDN list, or the Specially Designated Nationals and Blocked Persons List, and under that program, again, U.S. persons are prohibited from engaging in any activity on behalf of North Korea.

[00.17.12.14–00.17.40.11]

And that includes activities that would undermine cybersecurity or other malicious cyber-enabled activities. Would also include importing or exporting to North Korea any goods, services, or technology. This is especially important in the context of IT remote workers, because there’s oftentimes the transfer of information, and especially if that information is controlled under—or you might find yourself with other issues to contend with.

[00.17.40.16–00.18.08.11]

And then finally, also you’re selling or transferring, purchasing any sort of software, with a person located in North Korea or acting on behalf of the government of North Korea, or assisting or providing any sort of financial support in support of North Korea. And that’s that last prong, I think, that you were getting at as financial support, and that’s where payments to these remote workers come into consideration.

[00.18.08.13–00.18.36.21]

And there is certainly the potential for those payments themselves to represent violations of U.S. sanctions against North Korea. And so for companies that find themselves having employed these remote IT workers from North Korea or with a nexus to North Korea, you’ve got two areas of exposure to think about primarily, as separate and apart from any sort of export controls considerations.

[00.18.36.21–00.19.16.20]

But thinking just about economic sanctions and the payments, have you inadvertently caused a U.S. financial institution—and by that, it means bank. It can also mean digital assets company, for example. But have you caused a U.S. financial institution to violate sanctions? Right. And oftentimes, in your agreements, your contracts with your bank, there are sanctions representations and warranties that speak to this activity and essentially say you will not cause the bank to violate sanctions.

[00.19.16.20–00.19.56.03]

And so you could be on the hook for a causation argument—that you caused a bank to violate sanctions by processing that payment. The second area of exposure is material support. So the federal government put out guidance in 2022, specifically speaking to this prong, that OFAC has the authority to impose sanctions on any person that’s materially assisted or provided financial, material, or technological support for or in support of the government of North Korea or the Workers’ Party of Korea. Right. 

[00.19.56.04–00.20.20.22]

So, in addition to potentially causing a bank or a crypto company to violate sanctions, you also might have exposure for providing material support to a North Korean actor or someone acting on behalf of the government of North Korea, which can expose you to additional civil and perhaps even criminal liability for sanctions exposure.

[00.20.21.01–00.20.48.13]

The flip side of your question—you would ask the inverse—what if is a de-risking question, essentially. So what if you halt the payment but you’re wrong. Right. So that’s a risk that a lot of companies are often kind of weighing the pros and cons of. A lot of banks especially have to deal with de-risking as part of their sanctions and AML compliance programs on a daily basis.

[00.20.48.15–00.21.13.05]

And what if you’re overcorrecting and that could also potentially open you up to other sorts of civil action by the person who is not receiving payment for violation of those contracts in turn. So as often we have to kind of try to thread a needle in terms of getting it right, or exposing yourself to liability. And what if you’re overcorrecting, and that could also potentially open you up to other sorts of civil action by the person who is not receiving payment for violation of those contracts, in turn. So, as often, we have to kind of try to thread a needle in terms of getting it right, or exposing yourself to liability, on the one hand or—and also the other.

Navroop:

[00.21.13.08–00.21.33.20]

Threading a needle, it is. And actually, that brings me to the—another question that I think started during our panel in New York. Right? And it’s that we’ve seen so many media reports highlighting the arrest of the U.S.-based facilitators. And so, Caroline, I’m wondering about what are the essential considerations for legal and compliance teams to keep in mind regarding such facilitators.

Caroline:

[00.21.33.23–00.22.05.23]

So this is where screening comes into play. Right? And so the best course of action to try to guard against a sanctions violation is to conduct robust screening. And by screening, I mean running the names of any third parties, any vendors, the potential employees themselves against sanctions screening laws. Now, this isn’t fail-proof, because, of course, these persons can use aliases, but it’s at least the first step.

[00.22.06.01–00.22.36.19]

And trying to have some sort of a compliant mechanism in place to guard against any inadvertent violation of sanctions. I should also mention that the sanctions regime administered by OFAC imposes a strict liability standard for any act of noncompliance, and that essentially means that a U.S. person could be held liable for violations, even without having knowledge or without having a reason to know it was engaging in a violation.

[00.22.36.19–00.23.05.08]

And so while it does have associated penalties with that, and we can talk about that later, but it does offer some mitigation for having in place a sanctions compliance program. And one of the pillars of that is a robust screening mechanism. I should also say, we see quite often that companies will rely, especially if you’re outsourcing this to an employer of record service, an agent of record service—they’ll rely on those companies, in turn, to conduct this screening.

[00.23.05.10–00.23.36.00]

And quite often, that is not the case, particularly if those companies are not U.S. companies and are not fully aware of how sanctions function and how they could also be on the hook for sanctions compliance, even though they’re not a U.S. company. So definitely something to—for the compliance shops to look into is, if they are outsourcing, does—what is that company’s sanction screening methodology? 

[00.23.36.02–00.23.40.10]

And also to consider having an in-house sanction screening program as well.

Navroop:

[00.23.40.14–00.24.02.08]

I mean, that’s actually an interesting point, right? So as an employer—and this is something that I’m quite concerned about—we could be handing off some of those processes to an outside third party or running all the right background checks ourselves and doing everything we think is necessary. But if we were to be duped, so to speak, it sounds like we could still be held responsible.

[00.24.02.08–00.24.15.22]

Are the regulators really issuing those penalties when the company has clearly tried to do everything they can and do it right, or is it just more of a theoretical “they could, if they wanted to”? What’s actually happening in practice?

Caroline:

[00.24.16.00–00.24.39.15]

They do. So there is—there’s a couple of things to consider. So when OFAC—and I’ll speak about OFAC first and leave DOJ to the side for the criminal enforcement piece—but when OFAC is considering whether or not to issue a penalty, it will take into account, and it will issue penalties and consideration for penalties against U.S. companies, even if they were not aware at the time that there was a potential sanctions violation or the scenario that could present one. 

[00.24.39.17–00.25.11.20]

But they will take into account certain mitigating factors. And so the very fact that you have, if you do choose to voluntarily self-disclose to OFAC, that’s an automatic 50% reduction off of any penalty, if there is a penalty. OFAC can do something short of an actual penalty—it can do a cautionary letter, which is essentially a warning letter.

[00.25.11.22–00.25.29.13]

Those can be both public and nonpublic. And so you need to also think through the reputational considerations, even if you’re not getting an actual monetary penalty. If you have a press release, is that something that you want to try to mitigate against? But there is credit, essentially, given for voluntarily going into OFAC.

[00.25.29.18–00.25.55.21]

There is credit given for having a sanctions compliance program. There are a lot of other factors that OFAC will consider if there is some sort of inadvertent violation of sanctions, which is not willful or knowingly. And if it’s the latter, that gets you into more criminal enforcement, where DOJ’s—could potentially make a referral to DOJ for criminal inquiry of the matter.

Navroop:

[00.25.55.23–00.26.14.01]

Actually, kind of brings up another question in my mind is, how often should companies be re-vetting all of their existing employees? Let’s say at the time when you hire them, and for the last—I don’t know—five, ten years that they’ve been with you, there have been zero issues. How often should companies be looking at re-vetting everyone now?

Caroline:

[00.26.14.17–00.26.49.01]

Yeah, that’s a fantastic question. And so we often refer to that as dynamic screening. And so you do—you might do screening at the time of onboarding, right? Or at the time of hiring, when you’re thinking about bringing someone on board, you screen that person or that company, that entity, against U.S. sanctions lists. And then, through the sanctions compliance program—which you, again, as Matt said earlier, highly recommend working with outside counsel to put this together—to try to map your program onto an internal risk assessment, right.

[00.26.49.05–00.27.20.20]

Right. And so you kind of determine the timeline, the time frame for re-vetting of those employees. Some companies do that on a daily basis through automated screening. Some companies do it on a monthly basis. Some do it on an annual basis. It really depends on the risk profile of the company. And the different—some of the other mitigating factors you might have in place through a compliance program. So it varies from company to company based on their risk profile, essentially.

Navroop:

[00.27.20.22–00.27.46.03]

That’s fascinating. And I could keep going down that rabbit hole, but I want to switch gears here for a second. Matt, based on your extensive experience facilitating tabletop exercises, how should companies adapt these exercises to realistically prepare executives and their legal teams for insider threats linked to remote worker deception? What are the changes you’re seeing to even in the scenarios that you were running, say, just a year ago, in light of everything that’s been happening?

Matt Welling:

[00.27.46.08–00.28.06.14]

Yeah, thanks, Navroop. I would say one of the biggest changes is these situations are becoming a focus of the tabletop exercises that we’re being involved in. A year, two years ago, there was the stray exercise where we brought it in as a side quest, if you will—something that came up just to get the idea a little bit more socialized, at least with our clients, based on what we were seeing. 

[00.28.06.19–00.28.28.07]

But as we’ve been dealing with more and more of these, and they are starting to become more public through the DOJ announcements and other publications, it’s definitely a bigger focus for executives, which is great, ’cause it is a very real threat. And it’s probably more pervasive, at least in—from our vantage point—that may be making it to public reports. 

[00.28.28.07–00.29.05.01]

And in terms of the preparedness, the most important thing isn’t unique to these actors, but they’re a very good reminder on the importance of cross-functional coordination when you’re dealing with potential cyber privacy incident. And that’s really the most important thing, is to practice working together across different functional areas and making sure that the appropriate people are at the table to be able to understand, evaluate, and then act on these type of fact patterns.

[00.29.05.03–00.29.28.15]

I said earlier, kind of in our session here today, a lot of companies—especially kind of through and post-Covid with remote workforces—have moved some of these capabilities into silos, whether those are internal silos, with your service providers, and the relevant information is being viewed kind of at points in time along that process instead of comprehensively throughout it.

[00.29.28.17–00.29.57.04]

There are certainly opportunities to kind of grow and mature, and looking at it proactively—but especially in a reactive posture of incident response, which is what tabletop exercises are more typically focused on—it’s incredibly important for those functions within companies to work and collaborate together. Ideally, that to careen based on a repeatable sort of programmatic process, with incident response plan or another plan or playbook.

[00.29.57.06–00.30.20.23]

But at the very least, we want to start building that muscle memory and familiarity among these different capabilities in that kind of safe, controlled exercise setting. So, God forbid that that company actually finds itself in one of these situations. It’s not the first time that these different dance partners are trying to learn the choreography of working with one another.

[00.30.21.00–00.30.44.10]

And that’s really the big focus here. The other value in the tabletop exercise is really through kind of experienced facilitators are using realistic fact patterns, is to drive home the realism of this for organizations, ’cause one of the things that we hear a lot in speaking with companies, with our clients are otherwise, is well, they wouldn’t be interested in me, right. I’m in industry X, right.

[00.30.44.12–00.31.16.20]

That’s not—I’m not—there’s no state secrets here, whatever. And just from experience, that’s not necessarily what these actors are looking for, right, is we’ve hit on a couple times. They’re looking for paychecks, and they’re looking for kind of large remote workforces, at least based on all the public interiors that seems to be they’re targeting. And while a lot of that has historically been, it seems, in kind of large technical, technically oriented companies, we do know from experience that that’s not an exclusive measure by any means.

[00.31.16.22–00.31.43.04]

And have heard, kind of from our travels, that there are some pivots going on to other industries that also have larger remote workforces. So, it’s driving home that this can happen to you. And then, to build that muscle memory and trust for the different capabilities working together when you’re in a safe space, with some facilitation and opportunities to sort of get it wrong.

[00.31.43.06–00.31.59.14]

I’ll highlight, in every successful exercise, there’s some things that are going to go wrong, and that’s what you’re learning from. And then, to turn—to take those lessons learned and work them into the processes, and just have the company, all in all, be better prepared coming out of that exercise with all these issues.

Navroop:

[00.31.59.18–00.32.30.22]

It’s interesting, given that so many of these folks are embedded within the IT teams. I imagine one of the challenges that people run into is how and where they communicate about their suspicions becomes even more important, because if someone is a part of the IT team, and through that has access to—I don’t know—the back end of your email systems or whatever your workforce collaboration systems are, that those become all the wrong place to be discussing your suspicions and/or what you’re doing about them. 

[00.32.31.00–00.32.34.10]

Matt, is that something you guys have started to simulate in any of these tabletops?

Matt Welling:

[00.32.34.10–00.32.55.15]

Yeah, Navroop. It’s certainly one of the questions that we’re asking is where would you be communicating about these? How would you be communicating? And given the North Korean nexus here, there’s a ready example to point to you, which is kind of the very public Sony Pictures breach, where internal communications were leaked outward, right, where actors were going after the communications.

[00.32.55.17–00.33.26.12]

That’s certainly not unique to the North Korean nexus actors. We still have a lot of criminal actors. And for companies that are thinking about how to deal with these issues, a big part of it is how are you going to communicate about it internally? Generally, just for internal controls about audience appropriateness, as we’ve mentioned, right, there’s some labor employment issues here, and being thoughtful about that in case you need to substantiate those communications later.

[00.33.26.14–00.33.50.04]

So, whatever your systems of record are, and then in a situation where, for one reason or another, your systems become untrusted in this fact pattern, it could be that the employee that you’re looking at is somebody with administration access or whatever to one or more of your communication systems—to your messaging client, to your company email, whatever it may be—to have that out-of-band communications option thought through in advance.

[00.33.50.04–00.34.16.18]

One of the places where it could become challenging is if the company has not worked through that in advance. There’s sort of a natural inclination to go to individual devices, individual accounts, whether those are email, messaging clients, what have you, and that can cause some real headaches on the back end. 

[00.34.16.20–00.34.41.15]

With—if you do get into a litigation posture—the enforcement matter, with substantiating that, where communications about your investigation are intermingled with people sharing vacation photos or planning a golf outing or whatever may be. And you can think of all the other things that people have intermingled in their personal communications, as well as just making sure you have fulsome documentation.

[00.34.41.17–00.35.11.00]

For an instance where, for example, it’s not a threat actor. It’s just an employee, and that employee raises some labor employment claims. You want to be able to substantiate that all of your decision-making was happening in a reasoned way—that there were appropriate inclusion, not inappropriate inclusion into that information then, etc. So, I think the big lesson learned is to be thoughtful about those channels of communication ahead of time. 

[00.35.11.02–00.35.35.07]

To have your systems of record be thought through and planned, and to have that be planned through several different types of eventuality, right, where you can trust your system. And then you’re thinking about, can I have control of an audience, document retention, whatnot, and then also in circumstances where you, for one reason or another, can’t trust your typical kind of day-to-day company systems. 

[00.35.35.09–00.36.02.16]

Where you’d pivoting instead—standing up another platform—and said you have another platform and come and post it outside of your network. And from there—but really the complicating part is where you’re trying to build the track in front of the train at a moment of crisis. And that could be a major stressor for responders and cause some fragmented communications during those times, which is just adding levels of complexity, but it could be avoided with a little bit of advance planning.

Navroop:

[00.36.02.20–00.36.21.07]

Couldn’t agree more. It’s a big reason why we worked with you in the past to publish tabletop exercises that include injects around when and how to move to secure out-of-band communications. Jumping ahead over here, though, to—and I’m going to ask you both to put on your oracle hats over here—your ability to see into the future.

[00.36.21.07–00.36.40.20]

Right. As legal experts at the intersection of cybersecurity, compliance, and sanctions law, how do you see regulatory expectations evolving due to increase in cases involving remote work deception, particularly those linked to DPRK? But as you’ve said, it could be a number of other nation-state actors. How do you see this evolution taking place?

Caroline:

[00.36.41.01–00.37.07.08]

I’ll go ahead and take a first crack at that. So, when it comes to North Korea in particular, OFAC has a long history of imposing sanctions—at times, severe sanctions—on those who aid North Korea. And so, the enforcement risk is already there. And I think that’s only likely to become even more of a focus of OFAC.

[00.37.07.08–00.37.44.13]

And so, companies might want to take that into consideration when evaluating how to implement risk-based controls to address sanctions risks. I think, from a sanctions perspective, the expectation is increasingly there that, for U.S. companies—all of whom are beholden to U.S. sanctions regulations—that they should consider putting in place a sanctions compliance program, particularly if they have workers who might not be from the U.S. They might have operations across borders.

[00.37.44.15–00.38.24.02]

And as part of that, having that sanctions screening in place, it seems to be a necessary step at this point that OFAC is really expecting companies to have in place. And again, as I mentioned before, it serves as a mitigating factor. But we see, if there were to be any sort of penalty exacted by OFAC. But we see time and time again, in the publications and announcements coming out of OFAC, that there is an expectation—it’s not required by regulation—but there is an expectation that companies will have that screening in place and will have a sanctions compliance program. 

[00.38.24.02–00.38.39.16]

So, I think that is going to be the exception—that companies don’t have that in place. And OFAC will continue to showcase, to reward the companies that do, and to consider that in accepting a penalty, if they don’t.

Matt Welling:

[00.38.39.20–00.39.07.17]

Yeah. I think, to tag on to that, one of the concerns I’ve been hearing from companies who are thinking about this already is that that risk also offers a ready hook for the government to bring into investigations, especially where there’s been some notification obligation to a federal government in particular, or DOJ may get involved, if not seeing those cases today.

[00.39.07.19–00.39.41.19]

But that is something that companies are thinking about—that as there are investigations that are involving DOJ or multiple agencies, to have that hook that is harder to move away from can keep companies involved in those investigations longer than they otherwise might. Not necessary that they were—there was any kind of active wrongdoing or knowing wrongdoing. But as law enforcement is moving forward in their mandate to catch the bad guys, if you will, it can keep companies on the hook to keep cooperating. 

[00.39.41.21–00.40.15.01]

Where, at least from kind of an internal-looking basis, they may prefer to have their resources kind of dedicated somewhere else—right—to addressing the risk internally or supporting other operations and investigations or what have you. But it’s a way to keep them involved. And I don’t think any company likes being involved in a government investigation for any longer than they have to. No knock whatsoever to our friends and colleagues on the law enforcement DOJ side of the aisle.

[00.40.15.01–00.40.42.19]

But any company, especially a public company that finds themselves in that posture, is looking for a way to exit because it brings other risk—even if there’s no knowing or, in the end, any wrongdoing—right? Because of notifications and disclosures and other things that come with it. The broader issue that I think I just want to highlight is we’ve been involved in these investigations for a number of years now.

[00.40.42.20–00.41.07.21]

I think some of the earlier evidence of them goes back to 2018 or so, but especially kind of during and post-Covid, these have really exploded in number—at least from our visibility. But there doesn’t seem to be any sign that they’re going away, so I think, looking over the horizon, I think this is just a fact pattern that companies need to be prepared to deal with—and to probably be dealing with on a repeated basis from some of the briefings we’ve sat in. They’re all public.

[00.41.07.21–00.41.32.03]

But there’s some indication that other actors are starting to adopt these practices, not just on a nation-state level, but also kind of your criminal, financially motivated level. And remote worker scams are not a new thing kind of at large. But there seems to be a lot of honing of the tradecraft, if you will, from these groups, and others are taking notice.

[00.41.32.03–00.41.54.03]

So whether that’s from North Korea, whether it’s from other hostile regimes to U.S., other Western interests, or just from criminals who are seeing something that works and trying to mimic it, it just seems like this is going to be a set of issues that—at least broadly—companies are going to be dealing with for—at the very least—the immediate future and all.

[00.41.54.05–00.42.16.22]

Or do they start getting better at picking it up? We’re also seeing threat actors are very good at pivoting and changing and evolving their tactics. And I think one of the big things, as we’re talking to companies, that keeps coming up is the reminder they have dramatically less risk here, especially from the remote access end of things involved. Government and law enforcement are picking up cooperators. 

[00.42.16.22–00.42.40.01]

Ultimately, the actors themselves are in some remote location and are doing this at scale, so that’s a really difficult thing for companies and for the government to disrupt. So while a more perfect formula gets worked out, I think companies should just expect that, in some way, shape, or form, this is going to be something they’re dealing with for at least the near future.

Navroop:

[00.42.40.05–00.42.56.15]

All right. I could spend all day talking to both of you. But I know we’re almost running over time here, so I’m going to jump us ahead to one of the fun questions that we often like to end our shows with. But given that we’ve got two lawyers on here, I’m going to set the stage a little bit differently than we normally do.

[00.42.56.15–00.43.35.08]

So, Matt, Caroline, setting the scene here. You’ve just navigated a legal crisis worthy of a dramatic episode of Suits LA, and you’ve uncovered a DPRK-linked remote worker who somehow infiltrated your firm’s softball team, almost costing you the big championship against your longtime rivals, led by none other than Ted Black and Harvey Specter themselves. Despite Matt’s humor, skepticism, and my Suits obsession—and we really do love that show here—and his insistence that no lawyer would realistically spend that much time at bat, you’ve salvaged the game and your reputation. So, in your moment of victory, what are you celebrating with? What’s the libation of choice?

Matt Welling:

[00.43.35.10–00.43.50.11]

I’ll go first. And just to reiterate my skepticism on your obsession with all things Suits, nonetheless, I’ll probably stick to my roots. As a kid from the Midwest, I’m probably drinking a little bit of bourbon with a few rocks in there.

Caroline:

[00.43.50.16–00.43.55.07]

Yeah, I’m always going to go to my tried and true, which is an Old Fashioned Bulleit Rye.

Navroop:

[00.43.55.12–00.44.26.22]

I like it. Bourbon on the rocks and an Old Fashioned Bulleit Rye. Two drinks I would definitely join both of you with. So, with that said, thanks again, Matt and Caroline, for your valuable insights. And to our listeners, thanks for joining us on this episode of The Lock & Key Lounge. Remember, preparation isn’t just prudent. It’s essential armor when the inside of your battling was never supposed to be inside at all. And until next time, secure your communications and safeguard your softball championships.

Matt Calligan:

[00.44.27.00–00.44.59.13]

We really hope you enjoyed this episode of The Lock & Key Lounge. 

If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you. Please email us at lounge@armortext.com or our website, armortext.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.

Search