Uncovering the New Tactics of North Korean IT Worker Insider Attacks
In a recent discovery by researchers at Secureworks, it has been revealed that North Korean threat actors have adopted novel techniques to escalate fake IT worker insider attacks, including extorting their former employers. This shift in strategies, attributed to the Nickel Tapestry threat group, represents a significant departure from their conventional methods.
Previously, North Korean fake IT workers demonstrated a financial motive by staying employed and receiving a regular paycheck. However, in a recent case observed by Secureworks, a contractor swiftly exfiltrated proprietary data shortly after starting employment in mid-2024. Subsequently, they threatened to publish the data online unless a ransom was paid by their former employers.
Rafe Pilling, Director of Threat Intelligence at Secureworks Counter Threat Unit, emphasized the gravity of this development, stating, “This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers. No longer are they solely seeking a steady paycheck but are now looking for larger sums through data theft and extortion, breaching company defenses in the process.”
The Evolution of North Korean IT Worker Threats
For several years, North Korean nationals have been utilizing stolen or falsified identities to secure employment in Western companies as part of schemes to generate revenue for the DPRK regime. The Nickel Tapestry threat actor has been a key player in these fraudulent activities.
Secureworks has observed a transition in tactics by the group, such as redirecting corporate laptops to facilitators at laptop farms and displaying a preference for using personal laptops or virtual desktop infrastructure (VDI) setups. In a recent ransom demand incident, the attackers masked their IP addresses using Astrill VPN and residential proxy addresses.
Furthermore, the threat actors employed tools like Chrome Remote Desktop and AnyDesk for remote access and utilized SplitCam software to enable video calls, overcoming previous hurdles related to video conferencing.
Identifying North Korean Worker Schemes
With the evolution of Nickel Tapestry’s operations towards intellectual property theft and extortion, organizations must be vigilant when hiring remote IT workers. Secureworks recommends conducting thorough interviews to detect suspicious activity, including verifying candidates’ identities, monitoring for unusual behavior during calls, and restricting unauthorized remote access tools.
Recent research by Palo Alto Networks’ Unit 42 has also highlighted North Korean threat actors posing as recruiters to install malware on tech job seekers’ devices, emphasizing the need for heightened cybersecurity measures.
By staying informed and implementing robust security protocols, businesses can mitigate the risks associated with inadvertently hiring North Korean IT workers and protect their valuable assets from potential threats.