Cybersecurity threat modeling

Insider Threats Are Evolving: Is Your Threat Model?

Hero image for Insider Threats Are Evolving: Is Your Threat Model?

Insider Threats Are Evolving: Is Your Threat Model?

TLDR

  • State-sponsored DPRK IT workers represent an evolved insider threat, infiltrating organisations globally through fraudulent hiring
  • Operatives use sophisticated tactics: stolen or AI-enhanced identities, facilitator networks, laptop farms, VPNs, and exploit remote work environments to operate unseen, bypass location-based controls, and avoid in-person scrutiny
  • Traditional insider threat models focusing on disgruntled or careless employees are insufficient for this externally placed threat
  • Defences require a paradigm shift: rigorous pre-hire vetting, robust post-hire technical monitoring (Zero Trust, EDR/UEBA), and adapted insider risk programmes/threat models
  • Impact includes severe financial loss, IP theft, reputational damage, and critical legal/compliance risks (sanctions violations)

The Evolving Insider Threat

Threat actors go where defences are weakest. As companies strengthen technical controls, attackers continue to target the human layer. One of the most effective ways to stay ahead is by continuously updating your threat model to reflect how these tactics evolve.

In this post, we explore how insider threats are evolving and how our defences must adapt to meet them. Before we dive into the specifics, let’s first revisit the fundamentals of insider threats and some of the associated risks:

Understanding Insiders and Insider Threats

What is an insider threat? Let’s start with a definition from the Insider Threat TTP Knowledge Base from MITRE Engenuity:

An insider threat is defined as the person that will use their authorized access, wittingly or unwittingly, to do harm to the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. — Insider Threat TTP Knowledge Base

An insider is anyone who has, or previously had, authorised access to or knowledge of an organisation’s assets. This includes people, physical locations, sensitive information, systems, and networks. It covers not just current or former employees, but also trusted contractors, vendors, and partners with physical or logical access.

Some insiders may have deep knowledge of proprietary systems, internal operations, or strategic plans—making their access especially sensitive.

Understanding these fundamentals is key. Now, let’s examine how sophisticated state-sponsored campaigns, like the large-scale deployment of IT workers by the DPRK, are forcing a significant rethink of Insider risk and challenging traditional defence postures often focused on disgruntled or unwitting employees.

Proxy Insider Threats

State-sponsored campaigns like the DPRK’s IT worker deployment stretch the traditional definition of an insider. These individuals are not insiders who go rogue over time. They arrive with hostile intent, fully embedded from the start.

They are not typical insiders or straightforward external attackers. They sit somewhere in between. Think of them as proxy insiders or insider agents. Placed intentionally by a foreign government, they use access gained through fraud to act as internal operators for external objectives. With the help of facilitators and offsite infrastructure, they blend into legitimate teams while quietly enabling data theft, espionage, or sabotage.

This hybrid model forces a shift in how organisations view insider risk. It is no longer just about monitoring trusted employees. The threat now begins at the hiring stage and continues throughout the full lifecycle of access and activity.

The Evolving Threat: DPRK IT Workers

The core difference is intent and origin. Traditional insider threats arise from legitimate hires who later pose a risk. DPRK IT workers are externally placed insiders – state agents using fraud to gain employment from day one. Their loyalty lies with the DPRK regime, not their employer.

This demands a shift in our defensive mindset and our threat models. We must scrutinise the entry point – the hiring process – as rigorously as we monitor existing employee behaviour, recognising it as a primary attack vector for this threat actor profile.
Insider Threat Monitoring Concept

Motivations: Revenue and Espionage

Understanding the threat model starts with understanding the motivation. DPRK IT workers operate with two primary objectives: earning foreign currency and enabling espionage.

These goals shape how they behave, what they target, and how persistent they can be. With this context, we can better anticipate the risks they bring and build models that reflect both financial and intelligence-driven threats.

The DPRK’s objectives are clear and intertwined:

  • Illicit Revenue Generation: Facing heavy international sanctions, the regime uses these workers to earn vast sums of foreign currency (potentially hundreds of millions annually). This directly funds priorities like its prohibited WMD programme. Individual operatives can command high salaries, much of which is repatriated to the DPRK.

  • Espionage and Cyber Operations: Once inside, these operatives leverage their privileged access for spying, particularly targeting defence, aerospace, nuclear, and tech sectors. They steal intellectual property, sensitive data, and can act as facilitators for other DPRK hacking units (like Lazarus or Andariel), planting backdoors, deploying malware (including ransomware), or enabling larger intrusions to further their objectives.

This dual motive blurs the lines between cybercrime and statecraft, complicating defences and requiring threat models that account for both financial and espionage drivers originating from the same actor.

While these motivations remain consistent, the methods employed to achieve them continue to evolve, reflecting the regime’s adaptability in pursuing its objectives.

Tactics of Deception

DPRK operatives employ sophisticated TTPs to bypass security controls, which threat models must account for:

Insider Threat TTPs

  • Identity Fraud: Using stolen real identities, high-quality forgeries, or synthetic IDs, often enhanced with AI-generated/manipulated photos and potentially deepfakes for video interviews. Resumes are fabricated, often citing unverifiable foreign credentials.

  • Hiring Process Exploitation: Abusing remote work norms, using legitimate job platforms (LinkedIn, Upwork etc.) under false personas, avoiding video calls, and relying heavily on facilitator networks in target countries (like the US and UK).

  • Infrastructure Abuse: Facilitators manage “laptop farms” (hosting company-issued laptops), install unauthorised remote access software (RAS) like AnyDesk or TeamViewer, launder payments, and use VPNs (Astrill VPN frequently cited), proxies, and IP-KVM devices (like TinyPilot) to mask the operative’s true location (often China or Russia).

  • Post-Hire Malice: Stealing source code, proprietary data, trade secrets; conducting espionage; enabling further cyberattacks; and increasingly, data extortion – threatening to leak stolen data if discovered or fired.

Real-World Impact & Case Studies

This isn’t theoretical. High-profile incidents and government actions reveal the scale and effectiveness, underscoring the gaps in existing defences:

SentinelOne

Cybersecurity firms themselves are prime targets. SentinelOne recently detailed their experiences defending against DPRK IT workers.

In a report released this week, they revealed tracking approximately 360 fake personas and over 1,000 job applications linked to DPRK operations attempting to infiltrate their organisation, including roles on intelligence teams.

SentinelOne noted this infiltration vector significantly outpaces other insider threats they monitor and highlighted the adversaries’ increasing sophistication in fabricating identities and adapting tactics. Their experience stressed the value of cross-functional collaboration, particularly embedding threat awareness within recruitment teams to identify suspicious applications early.

KnowBe4 Infiltration

The security awareness company hired a DPRK operative using a stolen US identity enhanced with AI. The operative passed extensive checks but was detected within minutes of activating the company laptop due to anomalous activity caught by EDR.

Rapid response prevented data loss, but highlighted how even security-savvy firms can be initially deceived by TTPs likely outside their standard threat model.

DOJ Indictments:

US Justice Department actions revealed schemes involving hundreds of US companies (including Fortune 500 firms), facilitated by domestic enablers managing dozens of stolen identities and laundering millions ($6.8M by one US facilitator, $88M by one group). This suggests the known cases are just the “tip of the iceberg.”

Global Reach & UK Exposure

Warnings from the US (FBI, CISA, Treasury), UK (NCSC), and Republic of Korea (NIS) confirm targeting across North America, Europe, and East Asia. UK firms have been explicitly warned they are targeted.

It is almost certain that UK firms are currently being targeted
by Democratic People’s Republic of Korea (DPRK)
Information Technology (IT) workers disguised as
freelance third-country IT staff to generate revenue for
the DPRK regime.

— Advisory on North Korean IT Workers, HM Treasury’s Office of Financial Sanctions Implementation (OFSI)

Strengthening Defences: Updating the Model and Controls

Modern insider risk begins before day one and continues with every system interaction. No single defence will hold up because attackers adapt faster than any control. We can’t cover every scenario, but this two-tiered approach offers ideas for securing recruitment and strengthening operational defences:

Secure the hiring lifecycle

  • Identity proofing

    • Live video interview with biometric match
    • Advanced document forensics
    • Red flags: refusal of video call; audio lag that doesn’t match lip movement

  • Document and credential checks

    • Cross-verify passports, visas, education, tax and employment records with independent sources
    • Red flags: universities or employers that won’t confirm records

  • Third-party recruiter audit

    • Require written vetting procedures, sample background reports and right to re-screen
    • Red flags: recruiter won’t share proof of checks

  • Continuous HR training

    • Regular refreshers on DPRK tactics, payment-laundering patterns and crypto-wage requests
    • Red flags: candidate demands salary in cryptocurrency or to personal accounts

Enforce zero-trust operations

  • Least-privilege access: start all new hires with minimal rights; grant more only as needed
  • Multi-factor authentication and PAM: enforce MFA everywhere; auto-rotate privileged credentials
  • Advanced monitoring
    • EDR tuned to DPRK tactics (off-hour data pulls, credential sharing)
    • UEBA to detect unusual behaviour
    • Network analysis for sanctioned IPs and spikes in outbound traffic
  • Remote-access control: block or tightly gate tools like AnyDesk, TeamViewer, TinyPilot; log every session
  • Asset geolocation: alert when a “UK-only” device appears in China or Russia
  • Data Loss Prevention: inspect outbound email, cloud uploads and source-code repositories

Bottom line:

Vet people as rigorously as you harden endpoints. Combine strong pre-hire checks with least-privilege access (Zero Trust), behavioural monitoring, and continuous validation to shut down the paths state-sponsored insiders rely on.

Adapting Your Insider Threat Programme

Traditional Insider Threat Programmes (InTPs), often focused on employees turning bad, are insufficient for actors who are bad from the start, representing a significant evolution in Insider risk.

Adapting these programmes means integrating threat detection deeply into the hiring process itself, working closely with HR as per the SentinelOne use case. Programmes must actively consume and utilise external threat intelligence on nation-state TTPs to inform both vetting and monitoring.

Prioritising behavioural analytics to spot anomalies early, especially those linked to known DPRK methods, becomes critical. Furthermore, fostering strong cross-departmental collaboration between Security, IT, HR, Legal, and Finance ensures a unified and informed response to this evolving insider risk.

Insider Threat Priorities

Key Takeaways

The DPRK IT worker threat fundamentally changes the insider risk landscape and necessitates an urgent update to organisational threat models and how they address Insider risk. These are state-sponsored agents, not merely disgruntled or careless employees, using sophisticated deception to gain entry. Defending against them requires acknowledging the hiring process itself as a critical vulnerability exploited by this specific actor.

Organisations must upgrade their threat model. They need hyper-vigilant, intelligence-led vetting plus continuous, post-hire monitoring under Zero Trust. Behavioural analytics should be tuned to these TTPs. Failing to adapt your model and defences risks serious financial, operational and legal fallout. The threat has already evolved, so your defences must too.

The views expressed are the author’s own. This article provides general security guidance and is not legal or compliance advice.

← Back to Blog Contact Us →