Recent intelligence reveals that North Korean IT professionals are infiltrating Western companies under false pretenses, not only stealing sensitive intellectual property but also extorting their employers for ransom to prevent data exposure. This notable shift signifies an escalation in the tactics used by these actors, moving beyond conventional data breaches to more aggressive extortion methods.
According to an analysis by Secureworks’ Counter Threat Unit (CTU), some of these fraudulent workers have resorted to demanding ransom payments from former employers after leveraging insider access. This novel tactic was exemplified in a case where a contractor swiftly exfiltrated proprietary data shortly after commencing employment in mid-2024.
The activities mirror those of the threat group known as Nickel Tapestry, also referred to as Famous Chollima and UNC5267. Secureworks highlights that this operation represents a comprehensive insider threat strategy aimed at achieving illicit financial gains for North Korea, a nation currently under significant economic sanctions.
Typically, these North Korean operatives are dispatched to neighboring countries such as China and Russia, where they pose as freelancers seeking job opportunities. Alternatively, they may assume the identities of legitimate U.S. residents, creating a façade to facilitate their infiltration. Such methods enable these operatives to penetrate the defenses of target companies effectively.
As part of their deceptive practices, these workers frequently request the rerouting of company-issued laptops to third-party intermediaries, often referred to as laptop farms. These intermediaries install remote access software that allows the contractors to connect back to the corporate network. This tactic minimizes the need for an in-country facilitator and can obscure forensic evidence, aligning with established behaviors of the Nickel Tapestry group.
Moreover, the analysis indicates that multiple fraudulent contractors may be hired by the same organization, or a single individual could operate under various aliases. Secureworks previously identified instances where these contractors sought permission to use personal laptops, further complicating security measures, as some companies found themselves canceling equipment shipments altogether due to changed delivery addresses.
Evidence has emerged indicating that a contractor, who was dismissed for unsatisfactory performance, turned to sending extortion emails with ZIP files containing evidence of stolen data. This evolution in technique denotes a significant increase in the stakes involved in these operations, as extortion via stolen data now appears to be a growing trend.
Rafe Pilling, Secureworks’ Director of Threat Intelligence, emphasized that the implications of hiring North Korean IT workers now extend far beyond mere salary considerations. Companies are increasingly facing the prospect of substantial ransom demands, heightening the urgency for robust cybersecurity measures, especially among software development firms utilizing remote contractors.
Organizations are advised to exercise heightened vigilance during the recruitment process. This includes rigorous identity verification, conducting in-person or video interviews, and monitoring for suspicious activities such as changes in delivery addresses for IT equipment or attempts to redirect payments to external services. The discernible shift in tactics, along with the emerging demand for ransom, reinforces the critical nature of implementing comprehensive cybersecurity frameworks aligned with MITRE ATT&CK methodologies, addressing potential adversary tactics like initial access, persistence, and privilege escalation.
In a cybersecurity landscape defined by rapid evolution, the emergence of ransom demands signifies a crucial turning point in tactics employed by North Korean IT workers. These developments warrant increased scrutiny and proactive defense measures from organizations seeking to safeguard their digital assets against burgeoning threats.
