North Korean threat actors have adopted new tactics to escalate fake IT worker insider attacks, including extorting their former employers, researchers from Secureworks have found.
The cybersecurity firm said the development, attributed to the Nickel Tapestry threat group, marks a significant deviation from previously established tactics.
In many earlier North Korea fake IT worker schemes, the threat actors demonstrated a financial motivation by maintaining employment and collecting a paycheck.
However, in one recent case observed by the researchers, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024, before threatening to publish the data online in a ransom demand sent to their former employers.
Rafe Pilling, Director of Threat Intelligence, Secureworks Counter Threat Unit, commented: “Once the employment contract was complete, they quickly used this as collateral to demand a hefty ransom in return for not publishing the stolen data.”
“This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers. No longer are they just after a steady pay check, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses,” he added.
Read now: North Korean Hackers Targeted Cybersecurity Firm KnowBe4 with Fake IT Worker
Evolution of North Korea IT Worker Threats
The practice of North Korean nationals using stolen or falsified identities to obtain employment with Western companies under false pretenses has been documented in the US, UK and Australia for several years.
This activity is primarily designed to generate revenue for the Democratic People’s Republic of Korea (DPRK), contributing to the regime’s weapons program.
The Nickel Tapestry North Korean threat actor has historically been at the forefront of these schemes. Secureworks has recently observed an evolution in tactics that it believes have been used by the actor.
One tradecraft of the group is to avoid using corporate laptops by rerouting them to facilitators at laptop farms. In some instances, the contractors requested permission to use a personal laptop instead of a company-issued device and displayed a strong preference for a virtual desktop infrastructure (VDI) setup.
In the case where a ransom demand was issued, the attacker accessed company data using IP addresses within Astrill VPN address space and residential proxy addresses to mask the actual source IP address used for the malicious activity.
Soon after the organization terminated the contractor’s employment due to poor performance, the company was sent a series of emails from an external Outlook email address. One of the emails included ZIP archive attachments containing proof of the stolen data, and another demanded a six-figure ransom in cryptocurrency to avoid publication of the stolen documents.
The threat actors were also observed using Chrome Remote Desktop and AnyDesk for remote access.
Historically, North Korean IT workers avoided enabling video during calls, sometimes claiming to experience issues with webcams on company-issued laptops. However, Nickel Tapestry appears to be using the free SplitCam software, advertised as a virtual video clone, enabling them to facilitate company calls.
The threat actors have also been observed updating the bank account for receiving paychecks multiple times within a brief period. This includes the use of digital payment services to bypass traditional banking systems.
How to Identify North Korea Worker Schemes
Secureworks said the expansion of Nickel Tapestry’s operations to include theft of intellectual property with the potential for additional monetary gain through extortion has significantly changed the risk profile for organizations that inadvertently hire a North Korean IT worker.
Companies employing remote IT workers are recommended to undertake a thorough interview process to identify suspicious activity. This includes:
- Verify candidates’ identities by checking documentation for consistency, including their name, nationality, contact details and work history
- Conduct in-person or video interviews and monitoring for suspicious activity during calls
- Be wary of candidates’ requests to change their address during the onboarding process and to route paychecks to money transfer services
- Restrict use of unauthorized remote access tools and limit access to non-essential systems.
Research published in October 2024 by Palo Alto Networks’ Unit 42 highlighted new activity from North Korean threat actors posing as recruiters to install malware on tech industry job seekers’ devices.
The two pieces of malware associated with the campaign are the BeaverTail downloader and the InvisibleFerret backdoor.