An unidentified company in the UK, US, or Australia has fallen victim to a cyberattack after unknowingly hiring a North Korean cybercriminal as a remote IT worker. The hacker gained access to the company’s computer network by falsifying his employment history and personal details during the hiring process. Once inside, he secretly downloaded sensitive data and later demanded a six-figure ransom in cryptocurrency.
Key Details of the Incident:
- Initial Entry: The North Korean hacker was hired in the summer as a contractor. Using the company’s remote working tools, he gained access to its corporate network and systematically downloaded large amounts of sensitive data.
- Employment Duration: He worked for the company for four months, during which he collected a salary that was likely funneled back to North Korea through a sophisticated money-laundering scheme to avoid sanctions.
- Ransom Demand: After being dismissed for poor performance, the hacker sent ransom emails to the company, threatening to publish or sell the stolen data unless a six-figure sum in cryptocurrency was paid.
- Disclosure: The firm, choosing to remain anonymous, allowed Secureworks, a cybersecurity firm, to report the incident to raise awareness and warn others about the risks of accidentally hiring North Korean operatives as remote workers.
Broader Context:
This incident is part of a growing trend where North Korean cybercriminals pose as legitimate remote workers for Western companies. Once hired, they exploit their access to steal data or commit other malicious activities, using fake identities to circumvent background checks. The funds generated from such activities are often redirected to North Korea to support the regime’s operations, bypassing international sanctions.
The case underscores the importance of implementing thorough vetting processes when hiring remote employees and highlights the risks associated with granting network access to individuals whose backgrounds have not been fully verified.
Firms duped
Since 2022, authorities and cybersecurity experts have been sounding the alarm about the growing trend of secret North Korean workers infiltrating Western companies. The U.S. and South Korea accuse North Korea of deploying thousands of workers to secure well-paid remote roles in Western companies to generate income for the regime while circumventing international sanctions.
Key Trends and Incidents:
- Widespread Infiltration: In September, cybersecurity firm Mandiant revealed that several Fortune 100 companies had unknowingly hired North Korean nationals posing as legitimate IT workers.
- Escalation to Cyber Attacks: According to Rafe Pilling, Director of Threat Intelligence at Secureworks, the recent case where a North Korean IT worker turned on their employer with a cyberattack marks a significant escalation in risk. He noted, “No longer are they just after a steady paycheck; they are now targeting higher sums more quickly through data theft and extortion from within the company defenses.”
- Rare but Growing Threat: Although fraudulent North Korean IT worker schemes are becoming more common, cases where these workers actively engage in cyberattacks against their employers are still relatively rare.
Related Incident with KnowBe4:
In another case, a North Korean IT worker hired by the cybersecurity company KnowBe4 attempted to hack the firm shortly after being hired. Despite thorough recruitment processes that included interviews, background checks, and reference verifications, the individual began installing malware on their company-issued Mac as soon as they received it. KnowBe4 quickly detected the suspicious behavior and disabled the worker’s access to their systems.
Authorities’ Warning:
Authorities and cybersecurity experts are urging employers to be extra cautious when hiring remote workers, emphasizing the importance of thorough vetting processes, even more so for fully remote positions. The growing sophistication of these tactics shows that North Korean operatives are now seeking not only steady income but also opportunities for immediate financial gains through more aggressive means like data theft and extortion.
This trend underscores the need for enhanced cybersecurity measures and vigilant recruitment practices to identify and mitigate the risks posed by malicious insiders.
