Biz hired, and fired, a fake North Korean IT worker – then the ransom demands began

It's a pattern cropping up more and more frequently: a company fills an IT contractor post, not realizing it's mistakenly hired a North Korean operative. The phony worker almost immediately begins exfiltrating sensitive data, before being fired for poor performance. Then the six-figure ransom demands – accompanied by proof of the stolen files – start appearing.

Secureworks' incident responders have come across this pattern during "numerous investigations," we're told. And "multiple" tactics used in these scams align with North Korea's Nickel Tapestry crew, which relies on the fake IT worker schemes to line Kim Jong Un's coffers. According to the US government, these illicit funds contribute to the DPRK's illegal weapons programs.

"The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes," Secureworks Counter Threat Unit research team remarked in a report.

"The extortion incident reveals that Nickel Tapestry has expanded its operations to include theft of intellectual property with the potential for additional monetary gain through extortion," and this "significantly changes the risk profile" for businesses that accidentally hire a North Korean techie," Secureworks warned.

Data theft followed by extortion does, however, follow the pattern of escalating tactics documented by an earlier FBI alert and falls in line with North Korean government-backed hackers' ongoing money-making schemes.

Other fake worker tactics have been documented by the feds and friends in the UK [PDF] and Australia. Secureworks’ incident response team has observed these fake contractors requesting changes to delivery addresses for employer-issued laptops, which are then rerouted to laptop farms – both to hide the new hire's location and also to establish persistent access to corporate systems.

Or, in some cases, the North Korean scammers will ask to use a personal laptop instead of a company-issued device and indicate their preference for using a virtual desktop.

You've been pwned

In one case documented by Secureworks, the phony worker exfiltrated proprietary information to a personal Google Drive location using the corporate virtual PC.

After firing the cyber crook, the biz received "a series of emails" – one including .ZIP archive attachments containing samples of the stolen documents, and another demanding a six-figure ransom, paid in cryptocurrency, or else the criminals would leak the sensitive information.

"Later that day, an email from a Gmail address shared a Google Drive folder containing additional evidence of stolen data," the report notes.

The threat hunters observe they've also spotted criminals using Chrome Remote Desktop to remotely manage and access corporate systems, and AnyDesk for remote access – despite this tool not being typically needed for their jobs.

"Analysis of AnyDesk logs in one engagement revealed connections to Astrill VPN IP addresses, indicating the application is part of Nickel Tapestry's toolset," we're told.

Another indication that you may have accidentally hired a North Korean criminal: these IT workers avoid video calls as much as possible, claiming the webcams on company-provided computers aren't working.

To be fair: this excuse also comes in handy on no-makeup and frizzy-hair days for legitimate reporters employees.

Secureworks reports that their forensic evidence found free SplitCam virtual video clone software – which can help disguise the fake workers' identity and location – in use on the scammers' laptops. "Based on these observations, it is highly likely that the threat group is experimenting with various methods for accommodating companies' requests to enable video on calls," the security analysts note.

They also advise companies to be on the lookout for "suspicious financial behavior" – such as updating bank accounts for paycheck deposits multiple times in a short period. Specifically, the researchers have seen the use of bank accounts operated by the Payoneer Inc. digital payment service in these scams.

Plus, if you've inadvertently hired one phony North Korean IT worker, it's likely that you're employing more than one scam artist – or even the same individual who has adopted multiple personas.

"In one engagement, several connections across multiple contractors employed by the company surfaced, with Candidate A providing a reference for a future hire (Candidate B), and another likely fraudulent contractor (Candidate C) replacing Candidate B after that contractor's termination," the team wrote, adding that in another incident they caught multiple individuals using the same email address.

"This observation indicates that North Korean IT workers are often co-located and may share jobs," according to the report.

How not to get scammed

To avoid falling victim to this remote IT worker scam, Secureworks suggests recommends checking job candidates' documentation and conducting in-person interviews if possible.

Infosec awareness and training provider KnowBe4 would likely second this recommendation. The security shop conducted four video interviews with a candidate and checked their appearance matched photos on a job application, but still hired a North Korean fake IT worker for a software engineering role on its AI team.

It also pays to watch for new hires who ask to change their address during onboarding, or route paychecks to money transfer services. And, as always, restrict the use of unsanctioned remote access software and limit access to non-essential systems.

Google-owned infosec outfit Mandiant offers similar advice on how to hire – or not hire - North Korean operatives.

And, as several other job seekers and techies pointed out on Reddit: beware of cheap hires. As with most things in life, if it sounds too good to be true, it probably is. ®