A recent report has shed light on the expanding operations of North Korean workers posing as remote IT employees who are now engaging in intellectual property theft and extortion tactics against Western companies. This alarming trend, as highlighted by Secureworks’ counter threat unit, represents a significant shift in the risk profile for organizations that inadvertently hire these fraudulent workers.
The report reveals that North Korean nationals have been using stolen identities to secure remote jobs with Western firms, with the proceeds from these activities being funneled back to the regime. What was once a scheme to generate hard currency for Pyongyang through paychecks has now evolved into a more sinister operation involving the exfiltration of sensitive data from employers and subsequent ransom demands under the threat of leaking this information.
The tactics employed by these aggressive North Korean IT workers align with previous fraud campaigns carried out by the “Nickel Tapestry” threat group, as noted in the report. The emergence of ransom demands marks a departure from their previous schemes, with threat actors now demanding significant sums in cryptocurrency to prevent the publication of stolen documents.
According to Secureworks, the fraudulent North Korean workers are exfiltrating proprietary data to personal Google Drive locations through corporate VDI solutions. Additionally, researchers have observed these threat actors using Chrome Remote Desktop services to access corporate systems.
In a related development, federal prosecutors in Arizona recently indicted an individual for assisting North Korean nationals in obtaining IT work with U.S. Fortune 500 companies, while Polish authorities arrested a Ukrainian national for similar activities. The U.S. Department of State has also offered a reward for information on four North Korean IT workers in connection with these schemes.
A confidential United Nations report has further warned about North Korea’s use of hack attacks to finance its weapons-development programs, including online bank heists and cryptocurrency mining operations. The report also highlighted the regime’s continued violations of global sanctions in order to fund its weapons programs.
Overall, the revelations in the report underscore the growing threat posed by North Korean workers engaging in intellectual property theft and extortion tactics. As organizations grapple with the evolving landscape of cyber threats, it is imperative to remain vigilant and adopt robust cybersecurity measures to safeguard against such malicious activities.