Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Governance & Risk Management
Report Reveals North Korean Workers Expanding into Intellectual Property Theft
North Koreans posing as remote IT workers aren’t stopping at ripping off their employers’ salaries – they’re also extorting Western companies for ransom after obtaining jobs, according to a new report.
See Also: Attack Surface Management for Dummies®
Fraudulent North Korean workers have expanded operations to include intellectual property theft, with the potential for further monetary gain through extortion to fund the regime’s weapons programs, according to research published Wednesday by Secureworks’ counter threat unit. The report highlighted the expansion of tactics and warned the shift “significantly changes the risk profile for organizations that inadvertently hire a North Korean IT worker.”
North Korean nationals have long used stolen identities to secure remote jobs with Western firms, funneling the earnings to the regime (see: Breach Roundup: How to Spot North Korean IT Workers).
The scam has evolved from merely generating hard currency for Pyongyang through paychecks to actively exfiltrating sensitive data from their employers and threatening to leak that information unless the firm pays a ransom.
The technical and behavioral characteristics associated with newly aggressive North Korean It workers align with previous fraud campaigns carried out by the “Nickel Tapestry” threat group, according to the report.
“The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes,” the researchers wrote, noting how in one incident a threat actor “demanded a six-figure ransom in cryptocurrency to avoid publication of the stolen documents.”
Secureworks said North Koreans working under false pretenses are exfiltrating proprietary data to personal Google Drive locations via corporate VDI solutions. Researchers also observed threat actors accessing corporate systems using Chrome Remote Desktop services.
Federal prosecutors indicted an Arizona woman and Polish authorities arrested a Ukrainian national in May for circumventing sanctions and helping North Korean nationals obtain IT work for U.S. Fortune 500 companies (see: US FBI Busts North Korean IT Worker Employment Scams). The Department of State also offered up to $5 million for information on fourth North Korean IT workers: Jiho Han, Chunji Jin, Haoran Xu and a manager known as Zhonghua.
A recent confidential United Nations report meanwhile warned the North Korean regime uses well-orchestrated hack attacks to steal money for its weapons-development programs, including online bank heists and deploying cryptocurrency miners to hack crypto exchanges. The report also said North Korea committed “continued violations” of global sanctions to fund its weapons programs (see: North Korean Hacking Funds WMD Programs, UN Report Warns).