Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

North Korean Fake IT Workers More Aggressively Extorting Enterprises

North Korean fake IT workers are more aggressively extorting their employers in response to law enforcement actions.

North Korea fake IT worker extortion

The individuals involved in North Korean fake IT worker schemes are extorting the organizations that employ them and are increasingly aggressive in their tactics, fresh warnings from the FBI and Mandiant show.

According to the FBI, in addition to extorting US organizations that were deceived into hiring them, the North Korean IT workers have been infiltrating corporate networks to steal sensitive data, facilitate cybercrime, and conduct other activities that generate revenue for the Pyongyang regime.

“After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands. In some instances, North Korean IT workers have publicly released victim companies’ proprietary code,” the FBI says.

The agency warns that these workers have been observed copying organizations’ code repositories, posing a risk of code theft, and could attempt to harvest company credentials and session cookies for further compromise.

This evolution in tactics was first observed in mid-2024, with some individuals demanding six-figure ransom payments from their former employers to prevent the publication of stolen data.

According to Michael Barnhart, principal analyst at Google Cloud-owned Mandiant, the North Korean IT workers are increasing the aggression in response to a wave of indictments and sanctions against them, and increased media coverage, which have impacted the success of their schemes.

“An unfortunate byproduct of law enforcement action is these threat actors are becoming noticeably more aggressive in their tactics. We are increasingly seeing North Korean IT workers infiltrating larger organizations to steal sensitive data and follow through on their extortion threats against these enterprises,” Barnhart told SecurityWeek in an emailed comment.

“It’s also unsurprising to see them expanding their operations into Europe to replicate their success, as it’s easier to entrap citizens who aren’t familiar with their ploy,” Barnhart said.

Advertisement. Scroll to continue reading.

He also warns that companies using virtual desktop infrastructure (VDI) for remote workers instead of physical laptops are more facile targets to North Korean IT workers, as VDI makes it easier for them to hide their malicious activity.

“As a result, North Korean IT workers are turning a company’s short-term savings into long-term security risks and financial losses, so it’s imperative for more businesses to pay attention to these operations,” Barnhart said.

To stay protected, businesses are advised to adhere to the principle of least privilege on their networks, monitor and investigate unusual traffic, monitor network logs and browser session activity, and monitor endpoints for software supporting multiple simultaneous audio/video calls.

Furthermore, companies should implement identity-verification processes when hiring and onboarding new employees, educate their staff regarding North Korean IT worker schemes, review applicants’ communication accounts, and use robust hiring practices, including conducting much of the hiring and onboarding in person.

The warning comes just as the US announced charges against five individuals involved in a fake IT worker scheme, including North Korean, American and Mexican nationals.

Related: Fake IT Workers Funneled Millions to North Korea, DOJ Says

Related: Mandiant Offers Clues to Spotting and Stopping North Korean Fake IT Workers

Related: Official Says Puerto Rico’s Senate Targeted by Cyberattack

Related: Study Finds New Employees Immediately Given Access to Millions of Files

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.