Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management

North Korean IT Scam Workers Shift to Extortion Tactics

Report Reveals North Korean Workers Expanding Into Intellectual Property Theft
North Korean IT Scam Workers Shift to Extortion Tactics
North Korean state-sponsored hackers are posing as remote IT workers to extort Western companies, according to a new report. (Image: Shutterstock)

North Koreans posing as remote IT workers aren't stopping at ripping off their employers' salaries - they're also extorting Western companies for ransom after obtaining jobs, according to a new report.

See Also: Attack Surface Management for Dummies®

Fraudulent North Korean workers have expanded operations to include intellectual property theft, with the potential for further monetary gain through extortion to fund the regime's weapons programs, according to research published Wednesday by Secureworks' counter threat unit. The report highlighted the expansion of tactics and warned the shift "significantly changes the risk profile for organizations that inadvertently hire a North Korean IT worker."

North Korean nationals have long used stolen identities to secure remote jobs with Western firms, funneling the earnings to the regime (see: Breach Roundup: How to Spot North Korean IT Workers).

The scam has evolved from merely generating hard currency for Pyongyang through paychecks to actively exfiltrating sensitive data from their employers and threatening to leak that information unless the firm pays a ransom.

The technical and behavioral characteristics associated with newly aggressive North Korean IT workers align with previous fraud campaigns carried out by the "Nickel Tapestry" threat group, according to the report.

"The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes," the researchers wrote, noting how in one incident a threat actor "demanded a six-figure ransom in cryptocurrency to avoid publication of the stolen documents."

Secureworks said North Koreans working under false pretenses are exfiltrating proprietary data to personal Google Drive locations via corporate VDI solutions. Researchers also observed threat actors accessing corporate systems using Chrome Remote Desktop services.

Federal prosecutors indicted an Arizona woman and Polish authorities arrested a Ukrainian national in May for circumventing sanctions and helping North Korean nationals obtain IT work for U.S. Fortune 500 companies (see: US FBI Busts North Korean IT Worker Employment Scams). The Department of State also offered up to $5 million for information on four North Korean IT workers: Jiho Han, Chunji Jin, Haoran Xu and a manager known as Zhonghua.

A recent confidential United Nations report meanwhile warned the North Korean regime uses well-orchestrated hack attacks to steal money for its weapons-development programs, including online bank heists and deploying cryptocurrency miners to hack crypto exchanges. The report also said North Korea committed "continued violations" of global sanctions to fund its weapons programs (see: North Korean Hacking Funds WMD Programs, UN Report Warns).


About the Author

Chris Riotta

Chris Riotta

Managing Editor, GovInfoSecurity

Riotta is a journalist based in Washington, D.C. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president. His reporting has appeared in NBC News, Nextgov/FCW, Newsweek Magazine, The Independent and more.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.