Sygnia Uncovers North Korean Hacker Posing as Employee in Insider Cyberattack

Sygnia, an Israeli cybersecurity company specializing in incident response and threat preparedness, has revealed details of a highly unusual cyberattack in which a North Korean national infiltrated the internal network of a Western company—not by hacking from the outside, but by posing as a legitimate employee.

The breach was uncovered during a forensic investigation conducted by Sygnia after an organizational laptop, issued to a newly hired employee and later returned due to an external incident, was submitted for analysis. Sygnia’s investigators discovered a sophisticated remote access system built using an inventive mix of obscure network protocols, popular tools like Zoom, and malicious scripts concealed within a seemingly legitimate development environment.

The “employee,” a North Korean citizen, had been hired through an outsourcing platform using a fake identity. He gained full access to the organization’s internal systems via a company-issued VPN and laptop. Within his work environment, lightweight Python-based scripts had been embedded, functioning as a covert infrastructure for command execution, remote control, and exfiltration of sensitive data.

The attack employed advanced evasion techniques, including ARP protocol manipulation to create conditional triggers, WebSocket-based communication infrastructure, and Zoom’s screen-sharing functions for control—without deploying any traditional malware. The control mechanisms were cleverly hidden within routine software development processes, enabling the attacker to operate undetected by both security systems and colleagues.

“This is a rare example of a threat that doesn't attack from the outside—but rather, from deep within,” said Shoham Simon, Senior Vice President of Cyber Services at Sygnia. “The attacker didn’t exploit a code vulnerability, but rather a vulnerability of trust. The success of the attack was based on clever use of legitimate tools and forgotten protocols that fly under the radar of typical detection systems.”

Simon emphasized that this attack highlights the urgent need for a broader threat detection approach—one that includes monitoring anomalies in network protocols, unusual use of legitimate tools, and behaviors that appear normal on the surface but indicate covert malicious activity underneath.