North Korea Escalates Fake IT Worker Schemes to Extort Employers
Summary:
Secureworks Counter Threat Unit researchers have identified evolving tactics in fraudulent employment schemes involving North Korean IT workers, linked to the NICKEL TAPESTRY threat group. These schemes involve North Korean nationals using stolen or falsified identities to secure employment at Western companies, including those in the U.S., UK, and Australia. Historically, these operations were primarily focused on obtaining long-term employment to generate revenue for the North Korean regime. However, recent incidents show a shift toward more aggressive tactics, including data theft and extortion.
In mid-2024, a contractor exfiltrated proprietary data shortly after being hired, marking a new trend of insider threats. The fraudulent workers frequently requested to reroute corporate laptops to "laptop farms" or asked to use personal devices instead, a tactic aligned with NICKEL TAPESTRY's efforts to avoid forensic detection. These workers often accessed company networks using personal laptops through virtual desktop infrastructure (VDI) and used cloud storage services like Google Drive to steal data. They masked their locations using VPN services such as Astrill VPN and residential proxies, making it difficult to trace their activities. In one case, after the worker was terminated for poor performance, the company received ransom demands from an external email address, threatening to publish the stolen data unless a six-figure cryptocurrency payment was made. This escalation into ransom demands represents a significant change in the group's tactics, as previous schemes had not included extortion.
Security Officer Comments:
The use of remote desktop tools like Chrome Remote Desktop and AnyDesk was also observed, even though these tools were not part of the workers' assigned responsibilities. Investigators found that these tools connected to VPNs, further concealing the true locations of the North Korean actors. Fraudulent contractors also displayed suspicious behaviors during video calls, often avoiding the use of webcams by claiming technical issues or using software like SplitCam to hide their identities. Another pattern observed by CTU researchers is the coordinated nature of these fraudulent schemes. Investigations revealed that multiple fraudulent workers within the same company were often linked, providing references for one another or adopting similar resume formats and communication styles. In some cases, multiple individuals shared the same email address or job role, further complicating efforts to identify the true perpetrators.
Suggested Corrections:
CTU researchers recommend that organizations thoroughly verify candidates’ identities by checking documentation for consistency, including their name, nationality, contact details, and work history. Conducting in-person or video interviews and monitoring for suspicious activity (e.g., long speaking breaks) during video calls can reveal potential fraud. Organizations should be wary of candidates’ requests to change their address during the onboarding process and to route paychecks to money transfer services. IT staff should restrict the use of unauthorized remote access tools and limit access to non-essential systems.
Link(s):
https://www.infosecurity-magazine.com/news/north-korea-it-worker-extort/
https://www.secureworks.com/blog/fraudulent-north-korean-it-worker-schemes
Secureworks Counter Threat Unit researchers have identified evolving tactics in fraudulent employment schemes involving North Korean IT workers, linked to the NICKEL TAPESTRY threat group. These schemes involve North Korean nationals using stolen or falsified identities to secure employment at Western companies, including those in the U.S., UK, and Australia. Historically, these operations were primarily focused on obtaining long-term employment to generate revenue for the North Korean regime. However, recent incidents show a shift toward more aggressive tactics, including data theft and extortion.
In mid-2024, a contractor exfiltrated proprietary data shortly after being hired, marking a new trend of insider threats. The fraudulent workers frequently requested to reroute corporate laptops to "laptop farms" or asked to use personal devices instead, a tactic aligned with NICKEL TAPESTRY's efforts to avoid forensic detection. These workers often accessed company networks using personal laptops through virtual desktop infrastructure (VDI) and used cloud storage services like Google Drive to steal data. They masked their locations using VPN services such as Astrill VPN and residential proxies, making it difficult to trace their activities. In one case, after the worker was terminated for poor performance, the company received ransom demands from an external email address, threatening to publish the stolen data unless a six-figure cryptocurrency payment was made. This escalation into ransom demands represents a significant change in the group's tactics, as previous schemes had not included extortion.
Security Officer Comments:
The use of remote desktop tools like Chrome Remote Desktop and AnyDesk was also observed, even though these tools were not part of the workers' assigned responsibilities. Investigators found that these tools connected to VPNs, further concealing the true locations of the North Korean actors. Fraudulent contractors also displayed suspicious behaviors during video calls, often avoiding the use of webcams by claiming technical issues or using software like SplitCam to hide their identities. Another pattern observed by CTU researchers is the coordinated nature of these fraudulent schemes. Investigations revealed that multiple fraudulent workers within the same company were often linked, providing references for one another or adopting similar resume formats and communication styles. In some cases, multiple individuals shared the same email address or job role, further complicating efforts to identify the true perpetrators.
Suggested Corrections:
CTU researchers recommend that organizations thoroughly verify candidates’ identities by checking documentation for consistency, including their name, nationality, contact details, and work history. Conducting in-person or video interviews and monitoring for suspicious activity (e.g., long speaking breaks) during video calls can reveal potential fraud. Organizations should be wary of candidates’ requests to change their address during the onboarding process and to route paychecks to money transfer services. IT staff should restrict the use of unauthorized remote access tools and limit access to non-essential systems.
Link(s):
https://www.infosecurity-magazine.com/news/north-korea-it-worker-extort/
https://www.secureworks.com/blog/fraudulent-north-korean-it-worker-schemes