North Korean information technology (IT) workers who secure jobs under false pretenses in Western companies are not only engaging in intellectual property theft, but are also resorting to extortion to prevent the leak of this stolen data, adding a new dimension to their financially motivated attacks.
“In certain cases, these fraudulent workers demanded ransom payments from their previous employers after gaining insider access, a tactic that was not previously observed,” stated Secureworks Counter Threat Unit (CTU) in a recent analysis. “One such instance involved a contractor exfiltrating proprietary data shortly after starting employment in mid-2024.”
According to the cybersecurity company, this activity bears similarities to a threat group known as Nickel Tapestry, also identified as Famous Chollima and UNC5267.
The deceptive IT worker scheme, designed to further North Korea’s strategic and financial agendas, involves infiltrating Western companies to generate illicit revenue for the country amidst sanctions.
These North Korean workers typically travel to countries like China and Russia, posing as freelancers in search of job opportunities. Alternatively, they have also been known to assume the identities of legitimate U.S. residents to achieve their objectives.
Furthermore, they have been found to request changes in delivery addresses for company-issued laptops, redirecting them to intermediaries at laptop farms who are compensated by foreign facilitators. These intermediaries install remote desktop software that enables North Korean actors to connect to the computers.
In some cases, multiple contractors may be hired by the same company, or one individual may adopt multiple personas.
Secureworks has also observed instances where fake contractors requested permission to use their personal laptops or altered delivery addresses of laptops in transit, leading organizations to cancel the shipments altogether.
“This behavior is in line with Nickel Tapestry’s strategy of avoiding corporate laptops, potentially eliminating the need for an in-country facilitator and reducing access to forensic evidence,” the report noted. “This approach allows contractors to use personal laptops to remotely access the organization’s network.”
In a worrying development, a contractor terminated for poor performance from an undisclosed company resorted to sending extortion emails with ZIP attachments containing evidence of stolen data.
Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, highlighted the evolution in the threat actors’ tactics, emphasizing the increased risk associated with hiring North Korean IT workers who are now seeking higher sums through data theft and extortion.
Organizations are advised to remain vigilant during the recruitment process, conduct comprehensive identity verifications, hold in-person or video interviews, and watch out for attempts to redirect corporate IT shipments to contractors’ home addresses, reroute paychecks to money transfer services, and utilize unauthorized remote access tools to access corporate networks.
This shift in tactics underscores the sophisticated nature of these schemes and highlights the workers’ suspicious financial behavior and efforts to avoid video calls, as mentioned in an FBI alert.
“The emergence of ransom demands marks a significant departure from previous Nickel Tapestry activities. However, the behavior leading up to the extortion aligns with past schemes involving North Korean workers,” Secureworks CTU added.
