Fake North Korean IT Workers Now Extort Employers

Over the past two years, both the U.S. government and security researchers have highlighted a concerning trend: Fraudulent IT workers linked to the North Korean government, who use fake or stolen identities to obtain employment with U.S. companies, which they use to access confidential data. Now, researchers with Secureworks are confirming instances where the fraudulent workers have taken the scheme a step further: Demanding ransom payments from the employers over the accessed data. 

The Hack:

• In some cases, after fraudulent contractors were hired, they requested permission to use a personal laptop over a corporate device, and then used the personal device to remotely access the organization’s network

• In one instance, the contractor exfiltrated company data to a personal Google Drive location, using residential proxy addresses to disguise the actual IP addresses used for the activity 

• After the organizations terminated the “contractor” due to poor performance, they received a number of emails that included proof of stolen data and that demanded a six-figure cryptocurrency ransom to avoid exposure of the data

The Big Picture: For the past few years, North Korean threat actors have been carrying out this corporate infiltration scheme as a way to generate revenue for the North Korean regime, but also to gain privileged access for enabling cyber intrusions. 

Many companies have been targeted in this type of scheme. Charles Carmakal, CTO with Mandiant, said that researchers have observed dozens of Fortune 100 organizations unknowingly hiring IT workers from North Korea. 

Why It Matters: The emergence of ransom demands in this scheme marks a “notable departure” for the activity that Secureworks has linked to the threat group, Nickel Tapestry. In one instance, the contractor exfiltrated data “almost immediately after starting employment in mid-2024,” they said.

“The extortion incident reveals that NICKEL TAPESTRY has expanded its operations to include theft of intellectual property with the potential for additional monetary gain through extortion,” they said. “This shift significantly changes the risk profile for organizations that inadvertently hire a North Korean IT worker.”

What To Do: There are some tell-tale signs to watch out for with these types of fraudulent workers: For instance, they might make excuses for not turning on their camera during interviews, or correspond at times of the day that are unusual for their alleged locations. 

Companies can implement more stringent measures into their hiring processes, including verifying identities through strict background checks, conducting in-person or video interviews and looking out for suspicious activity (like long speaking breaks) on video calls.