Guest Post: North Korean Hiring Exposure

Recent reports have brought to light the disturbing story that many companies may have unwittingly hired North Korean operatives as outsourced IT professionals. In the following guest post, Sarah Abrams, Head of Claims Baleen Specialty, a division of Bowhead Specialty, considers the potential claims exposure that could arise for companies that have hired the North Korean operatives. I would like to thank Sarah Abrams for allowing me to publish her article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Sarah’s article.

********************

Considering recent press reports that large US-based companies have been unknowingly hiring North Korean bad actors as IT professionals, does the SolarWinds Corporation SUNBURST cyberattack and following litigation provide a roadmap to future exposure?

On January 23, 2025, the FBI issued an alert updating previous guidance to warn employers of “increasingly malicious activity” from the Democratic People’s Republic of Korea, or North Korea, including “data extortion.”  This was updated from its May 16, 2024, warning of threats to the public and private sector by North Korean IT workers leveraging U.S.-based individuals, both witting and unwitting, to gain fraudulent employment and access to U.S. company networks to generate revenue for the regime.

In conjunction with the FBI bulletins, various news outlets have been reporting on Fortune 500 companies that have hired and continue to hire software engineers who are North Korean citizens using stolen or fake US identities and AI-generated deepfakes:

“North Korean hackers have secretly infiltrated U.S. tech companies, posing as American software engineers to fund Kim Jong Un’s nuclear weapons program. Using fake résumés, stolen identities, and remote tools, these IT workers have landed real jobs at Fortune 500 firms, funneling millions back to North Korea. AI tools and stealthy tactics make detection harder, even fooling recruiters and HR teams.” Fortune, April 7, 2025

The UN estimated that the North Korean IT worker scam has generated $250 million to $600 million for North Korea every year since 2018. With the continued success of embedding foreign nation actors into US company infrastructure and controls, it is unlikely that this ongoing North Korean cyberattack will resolve itself.

For the companies that have fallen victim, the SolarWinds litigation may prove useful in anticipating management liability as well as exposure to company directors and officers.

Readers of the D&O Diary may recall that in December 2020, the media published a story that Russian hackers had gained access to US government agencies communication software through updates released by the SolarWinds Corporation, a third-party technology vendor for various branches of government [SUNBURST].  A day after the story broke SolarWinds filed an 8K with the SEC disclosing that it was aware of a vulnerability in its software and that it had hired third-party cybersecurity experts to assist in investigating and resolving the breach. 

SolarWinds stock dropped and in January 2021 a securities class action case was filed by shareholders against the company, its CEO, and CFO alleging, in part, misrepresentation of SolarWinds’ cybersecurity vulnerabilities and violations of Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5. The court further found that the named executives misstated SolarWinds cyber security control measures to mislead investors.

In October 2023 the SEC filed a lawsuit against SolarWinds and its executives, including Timothy Brown, its CISO, for fraud in the Northern District of New York. In July 2024, SolarWinds motion to dismiss was granted in part and denied in part by District Court Judge Engelmayer.  Judge Englemayer emphasized the importance of analyzing the “overall picture” conveyed by SolarWind’s Form 8-K disclosures.  

Notably both In Re SolarWinds Corporationand SEC v. SolarWinds, et. al acknowledge the recklessness of SolarWinds cyber security controls (i.e. “solarwinds123”).  Thus, the decisions and commentary by the courts in both SolarWinds cases may inform what companies affected by the North Korean IT worker scheme can anticipate when the cyberattack is made public.   

If the company is publicly traded and there is a stock drop after disclosure, there may be additional securities class action against the company and executives.  As was alleged in SolarWinds, violations of the Securities Act stemming from corporate failures to identify a going cyberattack may be alleged.  Even if the company is private, the impact on investors and stakeholders may result in litigation asserting mismanagement by executives, misrepresentation, and potential fraud.

In addition, aside from complaining of failures by the CISO, whose job function includes cybersecurity, any statements made or signed off on by the CEO regarding cybersecurity or protection of corporate or client intellectual property may become purported misrepresentations.  Given the FBI warnings, as well as media exposure, the CISCO’s identifying a breach and certainly the CEO’s filing an 8K disclosure would be scrutinized.   In addition, if corporate funds have been redirected to North Korea and not previously called out by the CFO, allegations of mismanagement of corporate funds may be alleged.

Depending on the length of the North Korean IT workers’ access and if the company is incorporated in Delaware, there may be potential Caremark claims against a company board for failing its duty of oversight.  As previously discussed in the D&O Diary, successfully Caremark cases, Teamsters Local 443 v Chou (the AmerisourceBergen case) and In re Met Life, alleged that the directors had not acted in response to red flags regarding compliance deficiencies. 

Certainly, if any red flags about hired bad actors are discovered through a 220 request (HR concerns about IT professionals always only workingremotely, accounting discrepancies that cannot be reconciled) are discovered, a derivative lawsuit against the board would be anticipated.  Injunctive relief may include additional independent technology consultants, new executive team members, and anticipated costs of reputational repair.   Because the North Korean IT worker scheme has now been brought to light and given the potential for company, executive, and board exposure, infiltration should be identified and disclosed.  Doing so may help mitigate a SolarWinds result.

The views expressed in this article are exclusively those of the author, and all of the content in this article has been created solely in the author’s individual capacity. This site is not affiliated with her company, colleagues, or clients. The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any subject matter