North Korean IT Personnel in Western Businesses Now Seeking Payment for Stolen Information
Employees working in information technology (IT) from North Korea, who are hired using fake identities within companies based in the West, are not only appropriating intellectual property but are now also demanding compensation to prevent its exposure, marking a new development in their financially driven assaults.
“In certain cases, deceitful employees have requested payments from their previous employers after obtaining internal access, a method that was not previously observed in similar plots,” Secureworks Counter Threat Unit (CTU) mentioned in an evaluation released this week. “In one situation, a subcontractor extracted confidential data almost immediately after commencing their role in mid-2024.”
The conduct, as stated by the cybersecurity firm, has resemblances with a cyberthreat group it monitors known as Nickel Tapestry, also recognized as Renowned Chollima and UNC5267.
The bogus IT employee arrangement, designed to bolster North Korea’s tactical and financial interests, denotes an internal threat operation that includes infiltrating Western companies to illicitly generate revenue for the nation struggling with sanctions.
These North Korean staff members are commonly dispatched to nations such as China and Russia, where they present themselves as freelance workers scouting for potential job openings. Alternatively, they have also been caught adopting the identities of legitimate U.S. residents to accomplish their goals.
They are also known to demand modifications to the shipping addresses for laptops provided by companies, often redirecting them to middlemen located at potential laptop farms, who are compensated by overseas facilitators and are responsible for installing remote desktop software that enables the North Korean operatives to connect to the devices.
Furthermore, multiple contractors could end up securing employment at the same organization, or conversely, an individual could take on multiple identities.
Secureworks revealed instances where the false contractors requested permission to utilize their personal laptops and even caused companies to cancel laptop shipments outright due to alterations in the delivery address while the shipment was in transit.
“These actions are consistent with Nickel Tapestry strategies of avoiding corporate laptops, potentially negating the necessity for a local facilitator and restricting access to forensic data,” it highlighted. “This tactic enables the contractors to leverage their personal laptops to remotely connect to the company’s networks.”
Evidence has emerged showing how a worker, whose employment was terminated by an undisclosed company due to poor performance, resorted to sending extortion emails containing compressed files with evidence of data theft, indicating an evolution in the threat actors’ tactics.
“This change significantly alters the threat landscape associated with inadvertently hiring North Korean IT staff,” mentioned Rafe Pilling, Director of Threat Intelligence at Secureworks CTU. “They are now not merely seeking a regular income but are pursuing larger sums quicker through data theft and blackmail, circumventing the organization’s defenses.”
To combat this threat, organizations have been advised to be cautious during the recruitment process, which includes extensive identity verification, conducting face-to-face or virtual interviews, and remaining alert for any attempts to redirect corporate IT equipment shipped to the addresses claimed to be the contractors’ residences, redirecting salary payments to money transfer services, and gaining access to the corporate network with unauthorized remote access tools.
“This escalation and the actions outlined in the FBI alert underscore the deliberate nature of these tactics,” Secureworks CTU mentioned, highlighting the suspicious financial activities of the employees and their efforts to avoid enabling video during communication.
“The introduction of ransom demands signifies a significant shift from past Nickel Tapestry ploys. Nevertheless, the activity witnessed before the extortion aligns with previous occurrences involving North Korean employees.”
About Author
