North Korean infiltrator caught working in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location

News
By published

A barely perceptible keystroke delay was the smoking gun that led to the uncovering of a malign imposter.

North Korean enter key
(Image credit: Getty / michaklootwijk)

A North Korean imposter was uncovered, working as a sysadmin at Amazon U.S., after their keystroke input lag raised suspicions with security specialists at the online retail giant. Normally, a U.S.-based remote worker’s computer would send keystroke data within tens of milliseconds. This suspicious individual’s keyboard lag was “more than 110 milliseconds,” reports Bloomberg.

Amazon is commendably proactive in its pursuit of impostors, according to the source report. The news site talked with Amazon’s Chief Security Officer, Stephen Schmidt, about this fascinating new case of North Koreans trying to infiltrate U.S. organizations to raise hard currency for the Democratic People’s Republic of Korea (DPRK), and sometimes indulge in espionage and/or sabotage.

You have to look for them, to find them

However, Amazon’s success can be almost entirely credited to the fact that it is actively looking for DPRK impostors, warns its Chief Security Officer. “If we hadn’t been looking for the DPRK workers,” Schmidt said, “we would not have found them.”

With this company policy explained, a blip on the Amazon security radar was caused earlier this year when a new sysadmin’s Amazon laptop monitor alerted security personnel about unusual behavior.

Amazon security experts took a closer look at the flagged ‘U.S. remote worker’ and determined that their remote laptop was being remotely controlled – causing the extra keystroke input lag. Schmidt emphasizes that good-quality security software was key to this investigation.

It turns out that the DPRK had access to this Amazon laptop located in Arizona. A woman found to be facilitating this fraud on behalf of North Korean imposter workers was sentenced to several years in prison earlier this year.

As well as red flag computer network symptoms, the fumbling use of American idioms and English-language articles continues to be a giveaway when conversing with such impostors.

Tip of the iceberg

The problem of North Koreans infiltrating U.S. corporations for profit, mischief, and more is undoubtedly a serious one. We’ve covered sizable FBI seizures of equipment recently, perhaps showing just the tip of the iceberg. More successful infiltrations by the DPRK, as well as hostile nations like Iran, Russia, and China, are likely to be ongoing.

Google Preferred Source

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Mark Tyson
Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

2 Comments Comment from the forums
  • llehcida
    I'd like to hire the NK IT department for where I work: he is jumping through at least two vpns, spoofing ip, maybe a tor system, and a trans-pacific cable. His latency is half what I have to deal with on a day to day basis and everything I connect to is in the same building or half a mile away.
    I'm literally jealous of his NK technology.
    And yes, I made an account for the first time because I'm waiting on my systems and I'm impressed with his.
    Reply
  • gggplaya
    Unfortunately, this will just be a lesson for them on how to thwart Amazon again. Amazon should have never released information on how they were caught.

    Now, they'll still remote into the laptop, but then also use something like a raspberry pi has an HID (keyboard and mouse) and remote into the raspberry pi attached to the laptop.
    Reply