North Korean IT personnel posing under false identities in Western companies not only pilfer intellectual property but also escalate their financial motives by demanding ransom payments to prevent sensitive information from being leaked, injecting a novel layer of complexity into their cybercrime schemes.
Following the revelation by Secureworks’ Counter Threat Unit (CTRU), it has come to light that in some instances, ex-employees with insider knowledge have resorted to demanding ransom funds from their former employers. This novel tactic marks a departure from traditional schemes. “A lone contractor compromised sensitive data mere minutes into their new role in July 2024, highlighting the imperative need for rigorous vetting and ongoing monitoring.”
The exercise, akin to the cyber threat profile tracked by the cybersecurity firm under its Nickel Tapestry designation, exhibits parallels.
North Korean operatives have concocted a sophisticated scheme to exploit vulnerable companies in the West by recruiting fraudulent IT employees who intentionally compromise sensitive information and technology to further the sanctions-stricken nation’s strategic and financial interests.
North Korean operatives typically deploy to countries such as China and Russia, where they present themselves as freelance professionals seeking new career opportunities. As a result, scammers have also been found to pilfer the identities of unsuspecting Americans living in the United States. to attain the identical targets.
North Korean actors, known for their tactics, request adjustments to supply addresses for company-issued laptops, which often reroute them to intermediaries at obscure entities, who install remote desktop software and are compensated by foreign-based facilitators for their efforts, enabling North Korea’s operatives to gain access to the devices.
While some contractors might discover themselves working for the same company multiple times, or even adopting various personas, this complexity can lead to a multitude of benefits and opportunities.
Cybersecurity firm Secureworks has identified instances where fake contractors attempted to use their personal laptops, going so far as convincing organizations to cancel laptop shipments by altering the delivery address mid-transit.
The company’s actions are consistent with their established protocols, specifically the Nickel Tapestry tradecraft, which emphasizes keeping sensitive information off company laptops and minimizing opportunities for unauthorized access to evidence. This approach enables contractors to utilize their personal laptops for remote access to the organization’s network.
As threat actors adapt and escalate their tactics, evidence has emerged showing that a contractor whose employment was terminated by a company due to underperformance subsequently resorted to sending threatening emails accompanied by ZIP files containing stolen data as leverage.
According to Rafe Pilling, Director of Risk Intelligence at Secureworks CTU, the shift “considerably adjusts the danger profile associated with inadvertently hiring North Korean IT staff,” as he stated in a recent statement. “Not only do they crave a steady income, but they’re also seeking substantial, prompt gains through internal data breaches and coercive demands.”
To mitigate the risk, organizations are advised to exercise caution throughout the hiring process by conducting rigorous identity verification, hosting in-person or video interviews, and monitoring attempts to redirect company IT equipment sent to contractors’ declared home addresses, while also being wary of checks routed to cash transfer companies and unauthorized remote access tools attempting to breach the company network.
Secureworks’ Counter Threat Unit notes that this escalation and the behaviours highlighted in the FBI alert demonstrate a deliberate strategy by perpetrators, referencing employees’ unusual financial transactions and efforts to disable video functionality during calls.
The sudden proliferation of ransom demands marks a significant deviation from previous Nickel Tapestry initiatives. Despite preceding the extortion, the exercise aligned with prior schemes involving North Korean personnel.
