Fake Employees, Real OT Risks

In June 2025, U.S. authorities revealed the scale of a North Korean IT-worker infiltration campaign that quietly embedded operatives in more than 100 U.S. companies, detected so far. By using stolen identities, AI deepfake interviews, and U.S.-based "laptop farms," these operatives were able to pass corporate hiring processes and gain insider access. Many times, these fake employees were applying and getting hired for highly technical positions such as software developers and IT engineers that would typically be granted escalated privileges as a matter of their role.

Much of the coverage has focused on payroll fraud and sanctions evasion. But the larger concern for critical industries is the insider threat to operational technology (OT). A fraudulent hire with access to engineering data, historian logs, or control software repositories is not just a compliance issue, it is a potential operational security event.

Considering the success of PRC associated threat actors such as Volt Typhoon and Salt Typhoon, we can't assume that techniques used by disparate nation-state actors could not be combined to accomplish various strategic goals such as elicit national revenue, espionage, or prepositioning in U.S. critical infrastructure. Critical infrastructure and OT owners must be prepared for the future, if it has not already arrived.

Most organizations rely heavily on IT logs and HR vetting when they think about insider threats. But OT data provides a powerful and often underutilized detection layer.

OT networks should be appropriately segmented from the IT network with additional access controls associated with them. This often includes the requirement for unique privileged administrator accounts or security constrained roles assigned to a standard user account. Monitoring these accounts can allow defenders to stay ahead of the game and identify very early indications of potential compromise attempts.

• Historian access patterns: Abnormal queries against time-series data—especially by new hires or contractors—can reveal attempts to map production or process details.
• Engineering workstation logs: Indicators such as repeated failed access attempts to project files, off-hours logins, or simultaneous logins from unexpected geographies can expose malicious insider activity.
• Configuration and firmware repositories: Monitoring for mass downloads, unauthorized clones, or unusual commit activity provides early warning when fake employees attempt to exfiltrate or manipulate industrial code.
• Operator HMI activity: Alerts on non-standard use of engineering functions (e.g., exporting trend data, screen captures) can point to reconnaissance efforts.
• Cross-domain correlation: When HR/IT signals, such as mismatched identity documents or unusual RMM use, are fused with OT alerts, the picture becomes much clearer.
• Internet connected KVMs: Identifying the installation or use of non-standard internet KVMs, such as PiKVM and TinyPilot, that have been used by fake foreign workers to operate via domestic laptop farms. This can be done multiple way via IT logs to detect specific products or "first-seen" USB devices.
• Identify non-standard data collection software: Fake employees are known to install screen and keystroke capture software on issued corporate devices to avoid potential detection by having to collect, stage, and exfiltrate data.
• "Stay Awake" software: Fake employees have also installed non-standard software such as "mouse-gigglers" to keep computer sessions alive an give the appearance that they are fastidiously worker their entire shift. While this isn't exclusive to "fake" employees since the rise of remote work, it could present just another indicator of potentially malicious activity.

Defending against insider campaigns requires connecting the dots between hiring, IT logs, attack pathway identification and attack surface reduction, network segmentation and security engineering, and OT system data. Key steps include:

• Appropriately segregate IT networks from OT networks to create boundaries that provide the identification of inappropriate access attempts. Strive for a Purdue model of architecture while incorporating Zero Trust philosophies and supporting mechanisms.
• Privileged Access Management: Create notification pipelines from HR for the hiring of new employees in particular rules. Also create notification pipelines for the creation of new privileged accounts or additions of new accounts to privileged security groups; especially if either allows access into OT networks. Implement a PAM solution if possible.
• Instrument OT data sources for insider anomaly detection—ensure historian, engineering tools, and HMI activity feed into your monitoring program.
• Develop strong ICS / SCADA signaling baselines: Have a thorough understanding of the types of commands sent, command codes, and frequency of commands sent to OT devices to easily identify anomalous activity within OT networks.
• Alert on OT-relevant anomalies—treat unusual data pulls, off-hours engineering access, and unapproved file transfers as potential insider activity, not just operational noise.
• Correlate across domains—tie HR vetting, IT behavior, and OT usage into a common view to catch fraudsters who slip through any one layer.
• Train OT engineers and HR staff—give front-line teams red flags to recognize both fake résumés and anomalous OT access tied to suspicious hires.

The June crackdown made it clear: adversaries are bypassing traditional security controls by becoming employees. For organizations running critical infrastructure, OT logs and data aren't just about reliability—they are now essential for defending against insider compromise.

Fusion goes beyond the Cyber Fusion Center and requires interwoven processes and mechanisms between multiple corporate entities, such as HR, Security Engineering, Insider Threat, and traditional IT Support Teams. This fusion is necessary to have the best chance of protecting multiple facets of the Enterprise, to include critical OT operations.

Organizations that can integrate OT data into their insider-threat program will be the ones best positioned to detect and stop fraudulent hires before they become operational risks.

Fragmented OT security isn't just risky. It's dangerous. And it's avoidable. If you're still managing OT and IT separately, you're staying one step behind attackers.

PhishCloud Cyber Fusion Center Strategies bring visibility, speed, and unity to your defenses—turning your weakest link into your greatest strength.