As companies continue to seek solutions for detecting fake IT workers, nation-state actors have already adapted their tactics. At this point, utilizing tools like Trust Swiftly allows organizations to confidentially detect nearly all remote nation-state actors employed within a company. Our unique approach to insider threats and fake IT workers distinguishes us from other available solutions, significantly reducing the burden on IT, Security, and HR teams searching for these outliers.
We do not simply look at employees at a single point in time; we cover the entire lifecycle. From pre-hiring and onboarding to privileged access management, we continuously monitor a person’s identity. Trust Swiftly offers a robust solution for cryptographic validation on authenticators, creating a tamper-proof chain of custody tied to a specific person and location. Utilizing continuous authentication checks ensures that an employee is always present and using their properly provisioned identity.
Telemetry and traditional signals only work for so long before advanced actors move away from those strategies entirely. Most companies lack the visibility to detect when a malicious insider hands their YubiKey authenticator to a co-conspirator in a different location, or uses a modified Silex DS-700 to share authentication via hardware-to-hardware connections. Few security tools can detect the subtle latency issues or hidden signals, such as device identifiers, associated with this hardware.
While Amazon recently published a press release regarding their detection techniques, their methods primarily target remote actors. In response, nation-state actors have returned to their roots: leveraging human cooperation to achieve their goals. The most lucrative placements require extended access, and the only way to secure that is to eliminate technical red flags. Regardless of the security tools installed on a device, the system will always verify the identity of the authorized user because the threat actor communicates with nation-state intermediaries through offline or third-party networks.
For these actors, losing access due to a technical mishap isn't an option; they require assurance. In one instance, we observed insiders steal an enterprise’s state-of-the-art AI model, repackage it, and sell it through various startup fronts. The meticulous effort required to gain and maintain initial access was justified by the value of the coveted technology. The payoff for these insiders is persistence; as technology becomes stale quickly, the ability to continuously compromise intellectual property is vital to maintaining a market edge. While these insiders are typically caught eventually, their discovery often comes too late—after the information they successfully exfiltrated has already lost its novelty.
While companies may currently lack the capabilities to identify the most deeply embedded insiders, they can identify the beginners who fail comprehensive identity checks, such as IAL3. Threat groups are now fabricating entire work histories and education credentials, combining them with real identities to create legitimate-appearing IT workers. These candidates often present a "picture-perfect" LinkedIn profile with an aged account and no obvious fraud indicators. Their resumes are equally exceptional, weaving truth with lies—perhaps only the education or a portion of the employment history is illegitimate.
This blending of fact and fiction is essential for nation-state actors to fabricate a placement-ready identity. The physical person remains the most critical component; a US company hiring a citizen expects a real person who can pass background and identity checks. For high-value targets, actors will not waste time fabricating a backstory only to fail on basic criminal history or background reports. However, most background check providers can only validate specific information, and many fail to do so in a secure manner that prevents evidence tampering.
With enough coaching, an individual can eventually evolve into a hundred-million-dollar asset for a nation-state. Consider the case of a recently unemployed IT help desk operator. They may be recruited by a nation-state to act as a mole for a new operation. First, they are trained to pass interviews, with professionals guiding them through daily tasks to mask any skill gaps. They are often hired at shell companies that serve as fake training grounds, positioning them for a higher role at a target organization. It may take months or years, but once placed, their primary goal is to remain undetected. Throughout this process, the insider may not even realize they are dealing with a nation-state, focusing instead on the financial incentives. The nation-state keeps the insider as a "clean" proxy, activating them for malicious access only during small windows of opportunity to ensure the activity remains invisible.
In review, identifying remote fake IT workers is a solvable problem, but detecting complicit insiders requires a different strategy. These threat actors will continue to wreak havoc, leaving little to no digital breadcrumbs for security teams to track or reverse engineer. Companies must adopt techniques that actively seek out insiders and their cohorts. Waiting for the "right" passive signals is no longer acceptable; security teams need to take control by activating scenarios that flush out nation-state activity.
By categorizing each type of potential insider, your team can create specific scenarios designed to reveal inconsistencies. If you suspect an employee is not truly performing their work or is being aided by a third party, an on-site workshop or live scenario can reveal their true skill level. Nation-state activity may look invisible to many, but through rigorous training, experimentation, and proactive defense, it can be methodically detected.
For related guidance, see:
- How to Reduce Hiring Risk With Application Fraud Prevention
- Enterprise Pre-Hire Identity Proofing Playbook for High-Risk Roles
Book a security consultation to map this framework to your environment.