North Korean IT Worker Schemes Evolve: From Salary Scams to Cyber Extortion
A new report from Secureworks® Counter Threat Unit™ (CTU) researchers has revealed a disturbing escalation in the tactics used by North Korean government-linked actors who fraudulently secure IT jobs at Western companies, including those in the U.S., UK, and Australia. While previous schemes focused primarily on generating revenue through illicit employment, the latest findings indicate a shift towards more aggressive tactics, including data theft and extortion.
One notable case in mid-2024 saw a contractor exfiltrating sensitive data almost immediately after starting a job. The organization, upon terminating the contractor for poor performance, received emails demanding a six-figure cryptocurrency ransom to prevent the publication of stolen data.
This escalation, observed by Secureworks, signals a dangerous new trend. “The extortion incident reveals that NICKEL TAPESTRY has expanded its operations to include theft of intellectual property with the potential for additional monetary gain through extortion,” the report warns. NICKEL TAPESTRY, a known North Korean threat group, has long relied on these IT worker schemes to generate revenue, allegedly funneling these earnings into the country’s weapons programs.
One of the tactics highlighted in the report involves rerouting the delivery addresses for corporate laptops, often diverting them to “laptop farms” where facilitators handle these devices. In some instances, fraudulent contractors requested to use personal laptops instead of company-issued ones, favoring virtual desktop infrastructure (VDI) setups to remotely access corporate networks. As noted in the report, “This behavior aligns with NICKEL TAPESTRY tradecraft of attempting to avoid corporate laptops, potentially eliminating the need for an in-country facilitator and limiting access to forensic evidence.”
In addition to exfiltrating data via corporate VDIs, the fraudulent contractors have used sophisticated methods to cover their tracks. Secureworks reports that these contractors often used VPN services, such as Astrill VPN, to mask their IP addresses and engaged in other deceptive tactics to evade detection. They also employed remote access tools like Chrome Remote Desktop and AnyDesk, which were not typically required for their roles, further raising suspicions.
The report also highlights other suspicious behaviors associated with these workers. Many avoided enabling video during calls, claiming technical issues with company-issued laptops or used SplitCam software to manipulate their video feeds. Financial red flags were also common, with contractors frequently updating payment information, often using digital payment services like Payoneer to circumvent traditional banking systems.
What makes these schemes even more insidious is the coordination between fraudulent contractors. Investigations revealed links between individuals who provided fake references for one another, used similar resume formats and even adopted multiple personas within the same company. In one instance, Secureworks found that two contractors who appeared to be separate individuals were the same person using different email accounts and writing styles.
As North Korean IT worker schemes continue to evolve, the cybersecurity risk for companies hiring remote workers has escalated. The shift toward ransom demands and intellectual property theft poses a serious threat to organizations worldwide. Secureworks emphasizes the need for heightened vigilance in the hiring process, recommending thorough background checks, identity verification, and scrutiny of suspicious behaviors such as frequent payment changes or requests to reroute deliveries.
Organizations are urged to monitor for red flags during interviews, such as excuses for not enabling cameras, inconsistent communication styles, and unusual working hours. As Secureworks warns, “While these characteristics are individually benign, a combination could indicate fraudulent activity and should prompt additional identity and employment eligibility checks.”
