The U.S. Justice Department recently apprehended Matthew Isaac Knoot, a 38-year-old Nashville resident, for his involvement in assisting North Korean IT workers in securing remote employment at various US companies. This arrest marks the second bust of a North Korean laptop farm in Tennessee this year, following a similar incident in May 2024.
In a recent press release, the DOJ outlined how Knoot helped these workers impersonate Americans by using stolen identities. He also managed a laptop farm to support their activities and funneled their earnings to North Korean and Chinese bank accounts.
“North Korea has dispatched thousands of highly skilled information technology workers around the world to dupe unwitting businesses and evade international sanctions so that it can continue to fund its dangerous weapons program,” stated Henry C. Leventis, United States Attorney for the Middle District of Tennessee.
What Is a Laptop Farm?
A laptop farm is a group of computers, typically laptops, networked together in a single location and remotely controlled by users from different locations. That allows the remote users to appear as if they are operating locally, enabling them to conceal their actual identities and locations.
They’re commonly used for deceptive practices, such as impersonating legitimate users or accessing geo-restricted services. It can also facilitate illegal activities like fraud or money laundering. In the case of the North Korean laptop farms, while the main purpose was to funnel funds back to their home country, their positions would have also allowed access to sensitive company data.
Understanding the Threat: The Rise of North Korean Laptop Farms
North Korean cyber operations are increasingly complex and show a concerning trend. These state-sponsored activities support North Korea’s weapons programs by acquiring funds, and potentially data, through illegitimate workers. This cybercrime helps the regime evade international sanctions and generate revenue illegally.
Laptop Farms have gained increased awareness this year, as there have already been two busts in close proximity. It’s unlikely Tennessee is the only state that hosts these operations. Since laptop farms are set up on local networks and rely on remote access from out-of-country, all they require is a willing host and an easily buyable high-speed internet network.
To combat these threats, governments and businesses worldwide are boosting cybersecurity measures. While the goal may seem to be money, the security risk cannot be ignored. If any valuable data is uncovered, it’s highly likely to be used if it can benefit North Korea. While awareness of the issue will help, the impact will reach more than just the US.
The Global Impact of Laptop Farms
Laptop farms complicate cybersecurity by enabling cybercriminals to remotely access sensitive company data. These setups make it difficult for traditional security measures to detect. As these operatives work through seemingly legitimate work accounts and may be doing the job they were hired for, they’re less likely to draw suspicion.
As a newer trend, this threat impacts individual companies and challenges global cybersecurity efforts. Criminals can set up a laptop farm in any country with fast and strong internet infrastructure. However, because cybersecurity laws and capabilities vary across regions, detecting and responding to these farms on a global scale is likely not possible.
Efforts to combat these risks are increasingly focused on improving detection capabilities and international cooperation. The integration of AI-driven security tools and the strengthening of global cybersecurity coordination may help. Educating teams across all departments can also help, especially in larger organizations where an illegal remote worker is likelier to slip through.
What the DOJ Is Doing to Counter Laptop Farms
The Department of Justice (DOJ) is intensifying its efforts to crack down on laptop farms through the “DPRK RevGen: Domestic Enabler Initiative,” launched in March 2024. This initiative, spearheaded by the National Security Division and the FBI’s Cyber and Counterintelligence Divisions, aims to identify and dismantle these operations.
An example of these efforts is the recent action against Matthew Isaac Knoot, reflecting the DOJ’s commitment to addressing this issue. Knoot’s case, where he facilitated North Korean IT workers pretending to be US employees, highlights the ongoing challenges and the importance of the DOJ’s crackdown. There are likely many more laptop farms still flying under the radar.
In addition, the DOJ collaborates with other federal agencies to continually update and issue advisories to the business community. That helps them identify and mitigate the risks associated with fraudulent IT employment schemes.
Protecting Your Business from Illegal Remote Workers
There is no single step a business can take to prevent illegal remote workers, especially in the case of a laptop farm. It can be challenging to detect, especially if an organization has fewer verifications. Here are a few things businesses can do:
Hiring Process:
- Verify Identities: Conduct rigorous identity verification processes for remote workers using multiple forms of identification to ensure authenticity.
- Use Secure and Trusted Platforms: Employ secure, reputable platforms for hiring remote workers, which typically include safeguards against fraudulent activities.
- Conduct Background Checks: Include comprehensive background checks in the hiring process, focusing on verifying employment history and references.
Managing Current Employees:
- Regular Security Training: Educate HR and IT teams about the latest remote work scams and cybersecurity threats, enabling them to recognize and respond to suspicious activities.
- Monitor Account Access and Activity: Set up systems to log and monitor access to the accounts and sensitive data, with alerts for unusual activities.
- Limit Access Privileges: To minimize risks, grant remote workers access only to the information and systems necessary for their roles.
- Establish Clear Remote Work Policies: Develop detailed remote work policies, including security protocols and data privacy expectations.
- Regular Audits and Compliance Checks: Conduct periodic audits of remote work arrangements and compliance with company policies to identify and address discrepancies early.
- Use Access Controls: Apply strict access controls to ensure remote workers can only access the data and systems necessary for their specific job roles. That minimizes risks.
- Add Geolocation Checks: Implement tools to verify the actual geolocation of remote workers, ensuring it aligns with their stated locations.
Taking a layered approach can help. While most businesses can’t realistically use every method, using multiple gives a better look at potential and current employees from different angles.