North Korean hackers are doubling down on their malicious activities towards the unsuspecting Western companies that mistakenly hire them. Rather than just stealing information once they obtain access to their new company’s network, they are now demanding ransoms not to leak it.
This new tactic marks an evolution in North Korea’s fraudulent IT worker scheme, which entails infiltrating Western companies to access sensitive information and generate illicit revenue to advance the country’s strategic and financial interests.
To pull off the scheme, North Korean workers pose as freelancers seeking IT-related jobs with Western firms. They use fake, sometimes AI-generated resumes and personas, or steal and adopt legitimate ones from U.S. citizens, to support their job applications and interviews. Once hired and provided with a corporate laptop, they immediately begin exfiltrating information from the company.
At least one researcher believes the North Korean IT worker operation impacts hundreds if not thousands of roles across the world, but only a small percentage turn into exfiltration and extortion scenarios. However, this new tactic could pose a bigger risk to organizations as some of these imposters are now looking to trade a steady paycheck for higher sums, more quickly, through data theft and extortion.
Source: The Hacker News
Analysis
Extortion is just the latest technique North Koreans have leveraged during their long history of using job-themed attack vectors in malicious cyber campaigns.
In July 2024, a North Korean hacker was caught using AI tooling to change his appearance during video interviews, duping cybersecurity company KnowBe4 into hiring him. Fortunately, the company caught on to the scam when the new employee installed malware on their company-issued laptop. KnowBe4 then contacted the FBI, who advised that the employee in question was a North Korean state-sponsored threat actor.
So far, this IT worker scheme has proven to be a valuable method for North Korea to obtain the financial resources and knowledge needed to further develop its ambitious weapons and nuclear programs. Thus, North Korea will likely continue using it to develop these programs.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats from advanced cyber actors engaging in malicious activities, including North Korean state-sponsored actors. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect recommends scrutinizing job application invites sent via email, messaging services such as WhatsApp, and social media. Take into consideration that the individuals contacting them could be fake, and always make efforts to verify the recruiter’s identity and association with the company they claim to represent. Generally, if an offer is too good to be true, it probably is.
Field Effect users are encouraged to submit suspicious emails, including job offers, to Field Effect’s Suspicious Email Analysis Service (SEAS) to ensure they are benign before clicking links or opening an attachment.
Related Articles