Information technology (IT) workers of North Korea who work for Western companies under false pretenses are also stepping up their ransom demands to prevent the leak, in addition to stealing intellectual property, which is a new development in their financially driven attacks.
“In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes,” the Secureworks Counter Threat Unit (CTU) said in an analysis published this week. “In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024.”
The cybersecurity firm also noted that the conduct is comparable to that of Nickel Tapestry, a threat group it monitors under the aliases Famous Chollima and UNC5267.
The fraudulent IT worker plan is an internal threat operation that involves breaking into Western organizations to generate illegal cash for the sanctioned country, with the goal of advancing North Korea’s financial and strategic interests.
Usually, these North Korean labourers are dispatched to nations like China and Russia, where they pretend to be independent contractors seeking employment. In order to accomplish the same objectives, they have also been known to steal the identities of lawful residents of the United States.
Additionally, they are known to ask for delivery addresses for company-issued laptops to be changed, frequently sending them to middlemen at laptop farms. These middlemen are paid by foreign-based facilitators and are in charge of setting up remote desktop software that enables the North Korean actors to access the computers.
Additionally, it is possible for a single contractor to take on many personas or for multiple contractors to be recruited by the same organization.
According to Secureworks, it has also seen instances when phoney contractors asked for authorization to use their own laptops and even forced companies to cancel laptop shipments completely after they altered the delivery location while the package was in route.
“This behaviour aligns with Nickel Tapestry’s tradecraft of attempting to avoid corporate laptops, potentially eliminating the need for an in-country facilitator and limiting access to forensic evidence,” it said. “This tactic allows the contractors to use their personal laptops to remotely access the organization’s network.”
Evidence has surfaced showing how a contractor whose employment was terminated by an unidentified company for poor performance turned to sending extortion emails with ZIP attachments containing proof of stolen data, indicating that the threat actors are changing and stepping up their activities.
“This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers,” Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, said in a statement. “No longer are they just after a steady pay cheque; they are looking for higher sums, more quickly, through data theft and extortion from inside the company defences.”
Although just a small portion of incidents appear to evolve into extortion situations, Pilling told the media that the North Korean IT worker operation as a whole affects hundreds, if not thousands, of people worldwide. These initiatives have mostly targeted software development firms that employ distant workers to carry out their work.
Organisations have been advised to take precautions against the threat during the hiring process, such as conducting comprehensive identity checks, conducting in-person or video interviews, and keeping an eye out for attempts to redirect corporate IT equipment sent to the contractor’s stated home address, route pay cheques to money transfer services, or use unauthorised remote access tools to access the corporate network.
“This escalation and the behaviours listed in the FBI alert demonstrate the calculated nature of these schemes,” Secureworks CTU said, pointing out the workers’ suspicious financial behaviour and their attempts to avoid enabling video during calls.
“The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes. However, the activity observed prior to the extortion aligns with previous schemes involving North Korean workers.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.