- A company accidentally hired a North Korean IT worker for a remote job.
- He stole data and then tried to hold it to ransom after being fired, according to Secureworks.
- North Korean workers have been infiltrating US companies, but extortion has emerged as a new tactic.
A company accidentally hired a North Korean remote IT worker, who later stole sensitive company data and attempted to hold it to ransom after being fired, according to an American cybersecurity company.
The FBI has previously said that there are thousands of North Korean IT workers posing as non-North Koreans to get remote jobs in the US, to funnel money back to the North Korean state.
However, this extortion strategy seems to mark a shift in their tactics.
Secureworks, which shared details of the incident with Business Insider, said its Counter Threat Unit, or CTU, uncovered the activity after the unnamed company, based in either the US, UK, or Australia, received an extortion demand.
According to BBC News, the company hired the technician as a contractor after he had falsified his employment history and personal details.
Early into his four-month employment, he used remote-work tools to infiltrate the company’s systems, downloading a large amount of company data, per Secureworks.
Secureworks said the worker was later dismissed for poor performance and that, soon after, the company began receiving emails with attachments containing evidence of stolen data.
It said the company also received an email demanding a six-figure sum in cryptocurrency to not publish it or sell the information online.
It is unclear if the ransom was paid. Secureworks said it doesn’t comment on individual cases, but added that many companies would be prohibited from paying a ransom due to international sanctions on North Korea.
Secureworks’ CTU said salaries received via North Korean fraudulent IT worker schemes seek to bypass these sanctions to generate revenue for the country.
Last year, FBI leaders warned that the money earned in salaries was being funneled to North Korean weapons programs.
This incident, however, was slightly different, said Rafe Pilling, director of threat intelligence at Secureworks’ CTU.
“No longer are they just after a steady paycheck,” he told BI in a written statement. “They are looking for higher sums, more quickly, through data theft and extortion, from inside the company defences.”
Pilling advised organizations to remain vigilant for individuals trying to gain employment under pretenses.
He said they should seek to run identity checks and do in-person or video interviews, as well as be wary of suspicious requests, such as attempts to reroute corporate IT equipment sent to the contractor’s purported home address.
Last month, Charles Carmakal, chief technology officer of cybersecurity firm Mandiant Consulting, said in a LinkedIn post that North Korean IT workers were increasingly infiltrating the US economy, with dozens of Fortune 100 organizations having been targeted.
Carmakal said that Mandiant investigations had found that North Korea was using a team of US-based facilitators that received company laptops from US employers, and would then often run laptop farms from their homes.
He said these facilitators sometimes deployed Remote Monitoring and Management software on the laptops, allowing North Korean IT workers to connect to the system remotely.
In May, prosecutors accused an Arizona woman of aiding North Koreans to secure US remote-work jobs, which included positions at Fortune 500 companies.
Prosecutors said in an April indictment that the workers used IP addresses to make it appear that they were working from her house and within the US.
A Ukrainian man was also accused of operating “laptop farms” for North Korean workers.
According to Jake Moore, a global cybersecurity advisor for cybersecurity software firm ESET, “Insider threats are still a major concern for businesses but especially for organizations that are targeted with nation-state threats.”
He told Business Insider that thorough vetting and background checks are often the “only fallback” to prevent rogue access to sensitive company data. He added that these processes can be time-consuming but ultimately worthwhile.
“Giving away the keys to the castle from within has always been high risk but with prevailing international threats, new measures in improved vetting employees must be taken,” he said.
