By John Q. Hosedrinker 
Amazon recently detected a North Korean imposter working as a sysadmin after noticing unusual keystroke input lag, a telltale sign of remote control. Amazon security personnel found that the suspicious individual’s keyboard lag was significantly higher than the norm, indicating that their laptop was being remotely accessed. Since April 2024, Amazon has thwarted over 1,800 DPRK infiltration attempts, with attempts increasing by 27% quarterly. These successes highlight the importance of actively searching for these impostors, as the company’s Chief Security Officer points out, while also noting that this is likely just the beginning of a larger issue.
Read the original article here
North Korean infiltrator caught working in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location. That’s the headline, and frankly, it’s a bit of a head-scratcher. My first thought? Really, Amazon? Hiring from North Korea? I mean, I guess it’s a bold move, but it’s hard to imagine it’s driven by altruism. It’s more likely cost-cutting, or perhaps, a surprising lack of due diligence. The article mentions Amazon has foiled over 1,800 infiltration attempts since April 2024. That’s a staggering number, and the fact that the rate is increasing, with a 27% rise quarter over quarter, is even more concerning.
Now, the claim is that they detected the infiltrator because of keystroke input lag. Specifically, a 110ms delay between when a key was pressed and when it registered. Okay, I can see the logic. If someone is remotely accessing a system, there’s a good chance there will be some lag, particularly if they are halfway across the world. However, the exact mechanism seems a little shaky. It’s a bit like a movie trope, isn’t it? It just doesn’t feel like the initial IOC would be keystroke input lag. I’m imagining some complex system is used, and keystroke lag probably came out of a deeper analysis.
The article alludes to the fact that the North Korean was accessing an Amazon laptop located in the US. A woman facilitated this, and the article says she was sentenced for her role. This suggests the infiltrator wasn’t directly accessing Amazon’s servers initially, but rather, was using the compromised laptop as a proxy. That’s a classic espionage tactic. The article claims that security software played a key role in the investigation.
Measuring this “lag” in real-time, in practice, could be done through SSH, which is a common tool for remote access. The SSH protocol sends keystrokes one at a time, making it potentially sensitive to the delays. The latency might be the difference between the time the key is pressed and the key’s registration. I think the monitoring of keystrokes is the real news, they’re paying close attention to that detail.
The more you think about it, the more complicated the situation becomes. Modern systems use TCP segments, and they may aggregate multiple keystrokes before sending them, thus making the concept of simple keystroke latency a bit outdated. Also, what if there’s a VPN involved? That could mask the origin of the keystrokes, and it’s something that the North Koreans, would likely employ.
Perhaps, Amazon uses something akin to typing cadence analysis. They could analyze typing speeds, and patterns to establish a baseline for a user, then flag anything that deviates significantly. Mistyping and subsequent corrections could create telltale signs of remote access. However, I’m leaning towards a monitoring system running on the compromised laptop. They would certainly be able to determine the keystrokes didn’t originate from the local hardware.
Maybe the lag shows up in the form of correction speeds. A regular user will quickly correct a mistake, whereas a remote user, with latency, would experience a delay before correcting it. This would cause a noticeable difference in their typing pattern. It may be a measurable delay between certain keystrokes, and this will be an obvious sign.
The article mentions the North Koreans are after the money, not necessarily to sabotage things. It’s a clever way to generate income for the regime. This isn’t the first time they’ve tried this, and it probably won’t be the last.