In May, the U.S. State and Treasury departments and the FBI released a joint advisory warning about the inadvertent hiring of North Korean IT workers by American companies. This is part of a broader push to make companies aware of potential sanctions violations.
“There’s been a couple of prosecutions lately of Chinese and Korean malicious cyber actors,” said Kevin Gaunt, an attorney with Hunton Andrews Kurth in Washington, D.C. “Over the past year and a half or two years, there’s been more of a push to educate [as well as] guidance issued on sanctions-related threats across the board.”
Overlook Sanctions at Your Own Risk
While many companies may already have systems in place to focus on anti-bribery compliance or customs issues, sanctions issues are often overlooked, at a company’s own risk.
“North Korea is an embargoed country, meaning that U.S. persons, such as U.S.-incorporated entities or any U.S. citizens and permanent residents, are prohibited from doing business with North Korea, in most circumstances,” said Kerry Contini, an attorney with Baker & McKenzie in Washington, D.C. “So if they hire a North Korean IT worker [who] is based in North Korea and lives in North Korea, that could be a sanction violation.”
Deliberately Hiding Identities
North Korean IT workers set out to intentionally conceal their identities to get hired by U.S.-based companies, using a variety of methods to fool hiring managers. Sometimes, the North Korean workers are based physically outside of North Korea or will hire locals to serve as a fake front in the job application process.
“Over the past two years, with the pandemic, there’s been a lot more remote work. It’s a lot more commonplace” to hire remote workers, Gaunt said. Because of that, it can help to take basic precautions to make sure the IT worker who is being hired is who the person should be. North Korean IT workers will deploy virtual private networks to hide their IP address, use resumes with false references and job histories, set up websites with fake portfolios, and other methods to conceal who they really are.
“If you’re not doing an in-person interview or face-to-face exchange of resumes, it’s a little bit easier to pull off an intentional concealment of your identity,” Gaunt said.
Smaller and medium-size companies, in particular, might be more vulnerable to being fooled by North Korean IT workers simply because the companies don’t have the systems in place to check references and resumes. “You’re focused on what your needs are, how much you have to pay to do it, how long, how quickly, somebody can turn it around. A lot of the times, especially in smaller or medium-size companies, there’s not necessarily the additional scrutiny on hiring a contractor,” Gaunt said. “Hiring companies aren’t necessarily thinking, ‘I might be getting scammed by a North Korean IT worker.’ “
Penalties and Sanction Compliance Programs
Companies should take the advisory as a warning to be more careful about sanctions violations because the penalties can be steep. Common sanctions penalties can be about $330,000 per violation, or twice the value of the transaction, whichever one has a higher value. This number can rise for a willful violation and can result in imprisonment for individuals who knowingly violate sanctions.
“This really just underscores the importance of compliance programs,” Contini said. “Sanctions compliance programs are extremely important, and that would include all of the kind[s] of basic elements that you would normally include in a compliance program.”
Having processes in place that allow companies to identify and address red flags that come up in the hiring process, as well as educating hiring managers about what they should be looking out for, are key to prevent inadvertent sanctions violations.
Although this advisory only addresses North Korean IT workers, the issues at the root of the advisory and the lessons that can be learned should be heeded by all companies who could potentially violate sanctions in hiring.
“As more of these types of guidance come out from the government, it’s going to be harder and harder for U.S. companies to say they didn’t know,” Gaunt said.
Katie Nadworny is a freelance writer in Istanbul.