North Korean infiltrator caught working in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location

News
By published

A barely perceptible keystroke delay was the smoking gun that led to the uncovering of a malign imposter.

North Korean enter key
(Image credit: Getty / michaklootwijk)

A North Korean imposter was uncovered, working as a sysadmin at Amazon U.S., after their keystroke input lag raised suspicions with security specialists at the online retail giant. Normally, a U.S.-based remote worker’s computer would send keystroke data within tens of milliseconds. This suspicious individual’s keyboard lag was “more than 110 milliseconds,” reports Bloomberg.

Amazon is commendably proactive in its pursuit of impostors, according to the source report. The news site talked with Amazon’s Chief Security Officer, Stephen Schmidt, about this fascinating new case of North Koreans trying to infiltrate U.S. organizations to raise hard currency for the Democratic People’s Republic of Korea (DPRK), and sometimes indulge in espionage and/or sabotage.

You have to look for them to find them

Amazon’s success can be almost entirely credited to the fact that it is actively looking for DPRK impostors, warns its Chief Security Officer. “If we hadn’t been looking for the DPRK workers,” Schmidt said, “we would not have found them.”

With this company policy explained, a blip on the Amazon security radar was caused earlier this year when a new sysadmin’s Amazon laptop monitor alerted security personnel about unusual behavior.

If we hadn’t been looking for the DPRK workers, we wouldn't have found them.

Amazon Chief Security Officer Stephen Schmidt

Amazon security experts took a closer look at the flagged ‘U.S. remote worker’ and determined that their remote laptop was being remotely controlled – causing the extra keystroke input lag. Schmidt emphasizes that good-quality security software was key to this investigation.

It turns out that the DPRK had access to this Amazon laptop located in Arizona. A woman found to be facilitating this fraud on behalf of North Korean imposter workers was sentenced to several years in prison earlier this year.

As well as red flag computer network symptoms, the fumbling use of American idioms and English-language articles continues to be a giveaway when conversing with such impostors.

Tip of the iceberg

The problem of North Koreans infiltrating U.S. corporations for profit, mischief, and more is undoubtedly a serious one. We’ve covered sizable FBI seizures of equipment recently, perhaps showing just the tip of the iceberg. More successful infiltrations by the DPRK, as well as hostile nations like Iran, Russia, and China, are likely to be ongoing.

Google Preferred Source

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Mark Tyson
Mark Tyson
News Editor

Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.

12 Comments Comment from the forums
  • llehcida
    I'd like to hire the NK IT department for where I work: he is jumping through at least two vpns, spoofing ip, maybe a tor system, and a trans-pacific cable. His latency is half what I have to deal with on a day to day basis and everything I connect to is in the same building or half a mile away.
    I'm literally jealous of his NK technology.
    And yes, I made an account for the first time because I'm waiting on my systems and I'm impressed with his.
    Reply
  • gggplaya
    Unfortunately, this will just be a lesson for them on how to thwart Amazon again. Amazon should have never released information on how they were caught.

    Now, they'll still remote into the laptop, but then also use something like a raspberry pi has an HID (keyboard and mouse) and remote into the raspberry pi attached to the laptop.
    Reply
  • coolitic
    gggplaya said:
    Unfortunately, this will just be a lesson for them on how to thwart Amazon again. Amazon should have never released information on how they were caught.

    Now, they'll still remote into the laptop, but then also use something like a raspberry pi has an HID (keyboard and mouse) and remote into the raspberry pi attached to the laptop.
    In all likelihood, it probably was no longer a secret. And also tbf, it required Amazon work laptops, and the woman who was selling them out to NKs was arrested years ago, so the NKs probably caught on at that point.
    Reply
  • coolitic
    llehcida said:
    I'd like to hire the NK IT department for where I work: he is jumping through at least two vpns, spoofing ip, maybe a tor system, and a trans-pacific cable. His latency is half what I have to deal with on a day to day basis and everything I connect to is in the same building or half a mile away.
    I'm literally jealous of his NK technology.
    And yes, I made an account for the first time because I'm waiting on my systems and I'm impressed with his.
    All of those "technologies" mentioned are invented in the West.

    What you might be referring to is, at best, their ingenuity and persistence in utilizing them.
    Reply
  • llehcida
    coolitic said:
    All of those "technologies" mentioned are invented in the West.

    What you might be referring to is, at best, their ingenuity and persistence in utilizing them.
    Yes, I'm mocking the poor implementation of what I'm using here in the US.
    Reply
  • JamesJones44
    I wonder if NK paid to fly him over for the interview and got a Visa? It's rare Amazon does IT interviews remote, but I suppose it's possible.
    Reply
  • GenericUser
    JamesJones44 said:
    I wonder if NK paid to fly him over for the interview and got a Visa? It's rare Amazon does IT interviews remote, but I suppose it's possible.
    I have no idea how the situation here developed, but from what I understand for this kind of thing for similar situations, what will sometimes happen is Person A shows up as the candidate and goes and does all the interviewing, but is actually a proxy for Person B, who is the one who ends up actually doing the job after Person A gets "hired".

    I've heard stories where a company has interviewed and hired someone, then on the start date a completely different person shows up for the job pretending to be the original person. In some large companies with multiple layers of bureaucracy and management, it can be quite some time before the switcheroo even gets noticed, if it gets noticed at all.
    Reply
  • USAFRet
    GenericUser said:
    I have no idea how the situation here developed, but from what I understand for this kind of thing for similar situations, what will sometimes happen is Person A shows up as the candidate and goes and does all the interviewing, but is actually a proxy for Person B, who is the one who ends up actually doing the job after Person A gets "hired".

    I've heard stories where a company has interviewed and hired someone, then on the start date a completely different person shows up for the job pretending to be the original person. In some large companies with multiple layers of bureaucracy and management, it can be quite some time before the switcheroo even gets noticed, if it gets noticed at all.
    Or Person A, after having the job for a while, outsources his functions.
    Passes it off as his work, but it isn't.
    Reply
  • Snowrosered
    Hard to understand why anyone would work for them. They are a scourge. Talking about NKR Of course.
    Reply
  • Enthirian
    coolitic said:
    All of those "technologies" mentioned are invented in the West

    What you might be referring to is, at best, their ingenuity and persistence in utilizing them.
    That is some hideous bigotry.
    You should be ashamed but you’re completely unaware.
    Reply