When the New Hire Is a Nation-State Operative

The operation

The campaign is tracked by threat intelligence researchers under the name Famous Chollima (a designation assigned by CrowdStrike and widely referenced in public reporting). The operation is straightforward in concept and remarkably effective in practice: operatives from North Korea use stolen or fabricated identities to apply for remote IT jobs at Western companies. They interview over video (often with the camera off, citing bandwidth issues), pass technical assessments, and get hired.

Once employed, the operative does not work from the location listed on their application. Their corporate laptop is shipped to a facilitator who connects it to the network and installs remote management software. The actual operative works from overseas, accessing the laptop through remote tools. To the employer, everything appears normal. The work gets done. Standups are attended. Code is committed. Tickets are closed.

Three layers of the operation

Layer 1: Fake identity

The foundation of the operation is a fabricated or stolen identity. Operatives use forged resumes with real-looking work histories, stolen Social Security numbers, and references that connect to other operatives or complicit facilitators. AI-generated profile photos make the identity appear legitimate on LinkedIn and job applications. Some operatives maintain multiple identities simultaneously, holding two or three full-time remote positions at once.

Background checks verify that a Social Security number, name, and address combination exists. They do not verify that the person on the video call is the person whose identity is on the application. The gap between identity verification and physical verification is the operational space these campaigns exploit.

Layer 2: Laptop farms with RMM tools

Corporate laptops are shipped to addresses in the United States staffed by facilitators. These "laptop farms" house multiple devices from different employers, each connected to its respective corporate VPN. The facilitator installs remote monitoring and management (RMM) tools like AnyDesk, TeamViewer, Chrome Remote Desktop, or RustDesk on each machine.

Multiple people rotate shifts on a single identity. One person attends the morning standup, another writes code in the afternoon, a third handles evening Slack messages. The employer sees a single employee working reasonable hours. The reality is a team operating around the clock, coordinating through internal channels the employer never sees.

Because the laptop never leaves the country, geolocation checks on the device IP appear legitimate. The VPN connection originates from a U.S. residential address. EDR tools on the device show a normal-looking work pattern. The deception is invisible at the endpoint level.

Layer 3: Cloud persistence

The third layer ensures continued access even if the laptop farm is disrupted. Operatives create OAuth applications connected to their corporate accounts, granting third-party services read access to email, calendar, and cloud storage. They add service accounts to shared resources. They configure email forwarding rules that copy internal communications to external addresses.

These persistence mechanisms are identical to the ones used by external attackers after compromising an account. An OAuth app created by a contractor during their first week looks exactly like an OAuth app installed by an attacker who phished their way in. A forwarding rule set up by an operative during onboarding is indistinguishable from one created during an account takeover.

Detection signs

Despite the sophistication of the operation, the operatives leave detectable traces. These indicators rarely trigger alerts individually, but in combination they form a pattern that is highly distinctive.

Impossible travel.The most reliable technical indicator. The employee's email account shows a sign-in from a U.S. IP address, followed minutes later by a sign-in from an IP geolocated to a different continent. This happens because the operative occasionally accesses cloud applications directly (without routing through the laptop farm), revealing their actual location.

Unusual RMM tools. Corporate IT departments standardize on specific remote access tools. When an employee installs AnyDesk, RustDesk, or similar tools that are not part of the standard toolkit, it warrants investigation. Multiple RMM tools on a single device is an even stronger signal, as it suggests redundant remote access paths.

Bulk data access outside job scope.An operative hired as a frontend developer who begins accessing backend configuration files, customer databases, or internal security documentation is operating outside their expected role. File access patterns that do not align with the employee's job responsibilities are a meaningful signal, especially when combined with other indicators.

OAuth apps created by contractor accounts. Legitimate employees occasionally connect productivity tools to their work accounts. But an OAuth application with broad read permissions (Mail.Read, Files.Read.All, Calendars.Read) created by a recently onboarded contractor is worth investigating. These grants provide persistent access to corporate data that survives password changes and MFA resets.

Email forwarding from unexpected locations. A forwarding rule that sends copies of internal email to a personal address, especially one created within the first few weeks of employment, matches the profile of both an insider threat and an external account compromise. The rule itself is the same artifact regardless of who created it.

The email security connection

These operatives need email accounts to function inside the organization. The corporate email is typically the first account provisioned during onboarding, and it serves as the recovery address for every other corporate application. Control of the email account means control of password resets, MFA enrollment, and access requests across the entire SaaS ecosystem.

The detectable patterns left by nation-state operatives in sign-in activity and account configuration overlap significantly with the patterns left by external attackers who have compromised an account:

• Sign-ins from IP addresses that do not match the employee's declared location
• New device enrollments from unexpected operating systems or browsers
• Authentication from multiple geographic regions within short timeframes
• Email forwarding rules to external or personal addresses
• OAuth applications with read access to mail, files, or calendar data
• Activity patterns that align with overseas business hours rather than local hours

Whether the threat is an external attacker who phished their way in or an insider who was hired with malicious intent, the artifacts left in the email configuration are remarkably similar. Monitoring for one catches the other.

What InboxWatch detects

InboxWatch scans for the email-layer indicators that surface in both external compromise and insider threat scenarios: anomalous sign-in locations, new device enrollments, suspicious forwarding rules, unauthorized OAuth grants, and authentication patterns that deviate from the baseline. These are the artifacts that nation-state operatives leave behind when they use corporate email accounts to establish persistence and exfiltrate data.

The threat is real, documented, and growing. More than 300 companies have been affected. The operatives are already inside organizations across every industry. The question is whether you have visibility into the signals they leave behind.