T1219.003 Remote Access Hardware is a sub-technique of Remote Access Tools (T1219) in the MITRE ATT&CK framework, under the Command and Control tactic. It refers to the use of physical KVM over IP devices that provide keyboard, video, and mouse (KVM) control over IP networks, allowing adversaries to interact with and control compromised systems at the hardware level.
These devices operate below the operating system, providing access to systems even if the operating system is compromised, rebooted, or protected by traditional security measures. By using KVM over IP devices, attackers can remotely control machines as if they were physically present, maintaining persistent, stealthy access without detection by software-based security tools like EDR or firewall protections.
To read about other sub-techniques of the T1219 Remote Access Tools technique, you can visit the related hub blog.
Like T1219.001, T1219.003 is a new sub-technique under T1219 (Remote Access Tools) within the Command and Control tactic [1]. It was created on March, 2025, and last modified on May 2, 2025. This technique focuses specifically on adversaries using physical hardware devices to establish remote access to compromised systems.
Adversaries use legitimate remote access hardware to establish interactive command-and-control channels, including IP-based KVM devices such as TinyPilot and PiKVM. These physical devices provide:
The creation of this sub-technique was directly informed by extensive North Korean operations uncovered throughout 2024 and 2025 [2].
A U.S. law enforcement operation conducted between October 2024 and June 2025 led to searches at 29 suspected laptop farms across 16 states. These locations hosted company-issued laptops connected to KVM switches, enabling remote access for DPRK IT workers. The operation uncovered more than $5 million in illicit revenue, while U.S. companies suffered approximately $3 million in financial losses. During these intrusions, sensitive data, including U.S. military technology regulated under ITAR, was accessed and exfiltrated.
Remote IT workers access devices using IP-based KVM solutions such as PiKVM. Hardware devices like TinyPilot and PiKVM function as physical KVM-over-IP solutions, allowing operatives to control computers remotely as if they were physically present by connecting directly to a system's HDMI and USB ports.
These actors commonly leverage IP-KVM devices, particularly PiKVM hardware, which plug directly into target machines to provide low-level, hardware-based control. This capability enables remote physical access to even highly secured corporate laptops, effectively replicating on-site presence and bypassing many traditional security controls.
This sub-technique represents a significant evolution in adversary tradecraft, where state-sponsored actors are combining social engineering (fake identities), physical infrastructure (laptop farms), and hardware-based persistence mechanisms (KVM devices) to maintain long-term access while funding illicit weapons programs.
[1] “Remote Access Tools: Remote Access Hardware.” Available: https://attack.mitre.org/techniques/T1219/003/. [Accessed: Dec. 22, 2025]
[2] “DPRK IT Workers Expanding in Scope and Scale,” Google Cloud Blog, Apr. 01, 2025. Available: https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale. [Accessed: Dec. 22, 2025]