Biz hired, and fired, a fake North Korean IT worker – then the ransom demands began
- Reference: 1729225692
- News link: https://www.theregister.co.uk/2024/10/18/ransom_fake_it_worker_scam/
- Source link:
Secureworks' incident responders have come across this pattern during "numerous investigations," we're told. And "multiple" tactics used in these scams align with North Korea's Nickel Tapestry crew, which relies on the fake IT worker schemes to line Kim Jong Un's coffers. According to the US government, these [1]illicit funds contribute to the DPRK's [2]illegal weapons programs .
"The emergence of ransom demands marks a notable departure from prior Nickel Tapestry schemes," Secureworks Counter Threat Unit research team [3]remarked in a report.
[4]
"The extortion incident reveals that Nickel Tapestry has expanded its operations to include theft of intellectual property with the potential for additional monetary gain through extortion," and this "significantly changes the risk profile" for businesses that accidentally hire a North Korean techie," Secureworks warned.
[5]
[6]
Data theft followed by extortion does, however, follow the pattern of [7]escalating tactics documented by an earlier [8]FBI alert and falls in line with North Korean government-backed hackers' ongoing money-making schemes.
Other fake worker tactics have been documented by the [9]feds and friends in the [10]UK [PDF] and Australia. Secureworks’ incident response team has observed these fake contractors requesting changes to delivery addresses for employer-issued laptops, which are then rerouted to laptop farms – both to hide the new hire's location and also to establish persistent access to corporate systems.
[11]
Or, in some cases, the North Korean scammers will ask to use a personal laptop instead of a company-issued device and indicate their preference for using a virtual desktop.
You've been pwned
In one case documented by Secureworks, the phony worker exfiltrated proprietary information to a personal Google Drive location using the corporate virtual PC.
After firing the cyber crook, the biz received "a series of emails" – one including .ZIP archive attachments containing samples of the stolen documents, and another demanding a six-figure ransom, paid in cryptocurrency, or else the criminals would leak the sensitive information.
"Later that day, an email from a Gmail address shared a Google Drive folder containing additional evidence of stolen data," the report notes.
The threat hunters observe they've also spotted criminals using Chrome Remote Desktop to remotely manage and access corporate systems, and AnyDesk for remote access – despite this tool not being typically needed for their jobs.
[12]
"Analysis of AnyDesk logs in one engagement revealed connections to Astrill VPN IP addresses, indicating the application is part of Nickel Tapestry's toolset," we're told.
Another indication that you may have accidentally hired a North Korean criminal: these IT workers avoid video calls as much as possible, claiming the webcams on company-provided computers aren't working.
To be fair: this excuse also comes in handy on no-makeup and frizzy-hair days for legitimate reporters employees.
[13]Security biz KnowBe4 hired fake North Korean techie, who got straight to work ... on evil
[14]How to spot a North Korean agent before they get comfy inside payroll
[15]North Korean scammers plan wave of stealth attacks on crypto companies, FBI warns
[16]Microsoft says tougher punishments needed for state-sponsored cybercriminals
Secureworks reports that their forensic evidence found free SplitCam virtual video clone software – which can help disguise the fake workers' identity and location – in use on the scammers' laptops. "Based on these observations, it is highly likely that the threat group is experimenting with various methods for accommodating companies' requests to enable video on calls," the security analysts note.
They also advise companies to be on the lookout for "suspicious financial behavior" – such as updating bank accounts for paycheck deposits multiple times in a short period. Specifically, the researchers have seen the use of bank accounts operated by the Payoneer Inc. digital payment service in these scams.
Plus, if you've inadvertently hired one phony North Korean IT worker, it's likely that you're employing more than one scam artist – or even the same individual who has adopted multiple personas.
"In one engagement, several connections across multiple contractors employed by the company surfaced, with Candidate A providing a reference for a future hire (Candidate B), and another likely fraudulent contractor (Candidate C) replacing Candidate B after that contractor's termination," the team wrote, adding that in another incident they caught multiple individuals using the same email address.
"This observation indicates that North Korean IT workers are often co-located and may share jobs," according to the report.
How not to get scammed
To avoid falling victim to this remote IT worker scam, Secureworks suggests recommends checking job candidates' documentation and conducting in-person interviews if possible.
Infosec awareness and training provider KnowBe4 would likely second this recommendation. The security shop conducted four video interviews with a candidate and checked their appearance matched photos on a job application, but still [17]hired a North Korean fake IT worker for a software engineering role on its AI team.
It also pays to watch for new hires who ask to change their address during onboarding, or route paychecks to money transfer services. And, as always, restrict the use of unsanctioned remote access software and limit access to non-essential systems.
Google-owned infosec outfit Mandiant offers [18]similar advice on how to hire – or not hire - North Korean operatives.
And, as several other job seekers and techies pointed out on Reddit: [19]beware of cheap hires . As with most things in life, if it sounds too good to be true, it probably is. ®
Get our [20]Tech Resources
[1] https://www.theregister.com/2024/10/08/us_lazarus_group_crypto_seizure/
[2] https://home.treasury.gov/news/press-releases/jy2215
[3] https://www.secureworks.com/blog/fraudulent-north-korean-it-worker-schemes
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZxIxyTK4FuHbq-6fef6WRQAAAMA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZxIxyTK4FuHbq-6fef6WRQAAAMA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZxIxyTK4FuHbq-6fef6WRQAAAMA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/09/05/fbi_north_korean_scammers_prepping/
[8] https://www.ic3.gov/PSA/2023/PSA231018
[9] https://www.justice.gov/opa/pr/justice-department-disrupts-north-korean-remote-it-worker-fraud-schemes-through-charges-and
[10] https://assets.publishing.service.gov.uk/media/66e2ec410d913026165c3d91/OFSI_Advisory_on_North_Korean_IT_Workers.pdf
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZxIxyTK4FuHbq-6fef6WRQAAAMA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZxIxyTK4FuHbq-6fef6WRQAAAMA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://www.theregister.com/2024/07/24/knowbe4_north_korean/
[14] https://www.theregister.com/2024/09/24/mandiant_north_korea_workers/
[15] https://www.theregister.com/2024/09/05/fbi_north_korean_scammers_prepping/
[16] https://www.theregister.com/2024/10/15/microsoft_digital_defense_report/
[17] https://www.theregister.com/2024/07/24/knowbe4_north_korean/
[18] https://www.theregister.com/2024/09/24/mandiant_north_korea_workers/
[19] https://www.reddit.com/r/technology/comments/1g4yy4l/firm_hacked_after_accidentally_hiring_north/?mid=1&ref=metacurity.com#cid=2292335
[20] https://whitepapers.theregister.com/
Re: Hiring a North Korean fake IT worker
My comany laptop is locked, but so much software can get installed without admin and into appdata it is silly
Even if it does ask for admin, close the prompt and into app data it goes
Re: Hiring a North Korean fake IT worker
According to the article, the laptops are delivered/rerouted to laptop farms - that'll be in the company's country - and the crooks presumably just access them remotely. This conveniently keeps the connection IP address local and avoids any corporate firewall blocking other countries.
The delivery address is not in North Korea.
Camouflaging destination
See, it's not that easy. Shipping adress for notebooks isn't "North Korea", its "Best Korea". A trap for you young players.
(Reminds me of GDR activity when a eastern agency luring west german soldiers used a WWII postcode starting with "W", suggesting western german origin.)
"It's a pattern cropping up more and more frequently: a company fills an IT contractor post, not realizing that ......." it has bugger-all security processes to manage its sensitive data.
My last proper company segregated and monitored its sensitive data and IT admins did not get automatic access to everything, everywhere from anywhere.
Identity
Don't know about elsewhere, but here (UK institution) anyone taken onto the payroll has to turn up in person at an administrative office with identity documents.
Re: Identity
That's nice, but it depends how much pushback the hiring managers give. If they claim they can't hire the right person, then a remote candidate might be their "only" option. Let's be perfectly honest, most managers are focused on short-term financial results, and security is an annoyance - until they destroy the company.
As usual, in most businesses, things are far more messy than a security person's theoretical operating procedure would like.
"They're working on project x so just give them access to all the files for that customer in case they need to refer back to previous work we did for them"
"They need to access Google drive because customer y demands we use it to share data with them"
"Please install z video conferencing client because this customer refuses to use Teams"
Even where we've got no staff with admin privileges on their machines, and AppLocker locking down what can be executed, with enough time there are ways around all this.
I'm going to assume Snowden was office based, and yet Iook what happened... The problem with remote working is that it makes all this stuff so much easier for a rogue employee.
Tip: Watch out for candidates asking your hiring teams to visit their personal websites - had one of those this week and it was trying to install ransomware...
Hiring a North Korean fake IT worker
How on Earth do you not get a clue when the delivery address for the company laptop is in North Korea ?
And an IT worker using a personal laptop ? No. He gets a fully locked-down laptop on which he can't install anything and, if he says that the camera isn't working, you know he's lying because you've tested the configuration first. Finally, he may be an IT contractor, but that doesn't mean he has access to everything. He has access to what you allow, the rest is out of bounds.
Bloody hell, your security is your responsability.