North Korean hackers have been identified using fraudulent IT workers to infiltrate Western companies, stealing sensitive data, and demanding ransom for its return, according to a recent report by cybersecurity firm Secureworks. The North Korean threat group NICKEL TAPESTRY has been revealed as the mastermind behind this scheme, operating from “laptop farms” and using stolen or falsified identities to deceive HR departments at companies in the US, UK, and Australia.
The hackers, posing as legitimate IT workers, employ a variety of tactics to conceal their true identities and locations. They request changes to delivery addresses for corporate laptops, redirecting them to laptop farms, and express a preference for using personal laptops and virtual desktop infrastructure (VDI) setups. By remotely accessing company networks without leaving a trace, they are able to exfiltrate sensitive data and demand ransom for its return.
One alarming aspect of this scheme is the collaboration between fake workers, who provide fake references for each other, perform job duties on each other’s behalf, and communicate via email while disguising themselves as different individuals. Secureworks’ Counter Threat Unit research team highlighted the emergence of ransom demands as a notable departure from previous NICKEL TAPESTRY schemes, significantly increasing the potential financial damage caused by these attacks.
The use of residential proxy addresses, VPNs, and “Splitcam” software during video calls allows the hackers to mask their actual IP addresses and create fake AI clones of themselves. This sophisticated approach makes it challenging for organizations to detect and prevent these fraudulent activities.
The history of North Korean hackers posing as IT workers dates back to 2018, when similar tactics were observed targeting Fortune 100 companies and funneling stolen intellectual property back to North Korea. The US government issued a warning in May 2022 about the threat of North Korean hackers disguised as IT freelancers, emphasizing the need for organizations to be vigilant against such deceptive practices.
In July 2024, North Korean hackers targeted KnowBe4, a prominent U.S.-based cybersecurity company, by infiltrating the company through a fake IT worker and attempting to compromise its systems using malware installed on a company-issued MacBook.
To protect themselves from this evolving threat, Secureworks advises companies to conduct thorough background checks and verify candidate identities. Red flags include unusual work traits, communication patterns, and behavior during interviews. By staying vigilant and implementing strict verification processes, organizations can reduce the risk of falling victim to these deceptive schemes.
In conclusion, the infiltration of Western companies by North Korean hackers using fraudulent IT workers underscores the importance of cybersecurity vigilance and robust verification processes. By remaining aware of these deceptive tactics and taking proactive measures to protect sensitive data, organizations can safeguard themselves against this growing threat.