After several incident investigations, Secureworks researchers said the fraudulently hired workers “demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes.”
“In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024,” the researchers said in a report released on Wednesday.
“Soon after the organization terminated the contractor’s employment due to poor performance, the company received a series of emails from an external Outlook email address. One of the emails included ZIP archive attachments containing proof of the stolen data, and another demanded a six-figure ransom in cryptocurrency to avoid publication of the stolen documents.”
The contractor provided more evidence of stolen information in another email from a Gmail address.
The ransom incident shows that the North Koreans have expanded operations “to include theft of intellectual property with the potential for additional monetary gain through extortion,” Secureworks said.
...
The Justice Department has charged and arrested several U.S. citizens for running laptop farms that allow the North Korean IT workers to look like they are working in the U.S. when they are likely based in China or Russia.
Secureworks said it saw fraudulent contractors rerouting company laptops to laptop farms or in other instances demanding to use personal laptops in an effort to avoid needing an “in-country facilitator.” Secureworks saw a contractor exfiltrate proprietary data to a personal Google Drive location through a personal laptop that was approved for remote work.
In one instance, a worker asked the company to reroute the company laptop to a new address, prompting the organization to cancel the shipment entirely.
Secureworks said contractors typically use a variety of tools to mask their IP address and remotely manage corporate devices including Chrome Remote Desktop and AnyDesk.
I recall the last time this topic came up, there was some discussion about how hiring North Koreans to work remote was just a matter of "overcoming systemic bias" and not a gaping security hole.
I recall the last time this topic came up, there was some discussion about how hiring North Koreans to work remote was just a matter of "overcoming systemic bias" and not a gaping security hole.
From the article:
...
I recall the last time this topic came up, there was some discussion about how hiring North Koreans to work remote was just a matter of "overcoming systemic bias" and not a gaping security hole.