North Korean hackers, posing as IT workers in companies across the U.S., U.K., and other countries, are now extorting their employers after gaining insider access to sensitive information. This new tactic marks an alarming shift in a long-running North Korean operation aimed at infiltrating organizations through stolen or fake identities.
According to a report by Secureworks Counter Threat Unit, the North Korean hackers, once hired under false pretenses, have begun demanding ransom payments from their employers. These fraudulent workers, after securing jobs, exploit their insider access to steal proprietary data and then threaten to leak the information unless paid in cryptocurrency.
In one instance, a North Korean IT worker, hired by a company in mid-2024, exfiltrated sensitive data almost immediately. Following the worker’s termination due to poor performance, the company received emails from an external email account containing proof of the stolen data, with demands for a six-figure ransom in cryptocurrency to prevent its release. The worker followed up with further evidence using a separate Gmail account, pressuring the company to pay.
This extortion scheme is a significant evolution of North Korea’s long-running cyber operations, which initially targeted cryptocurrency firms. Now, their targets include major organizations, such as Fortune 100 companies, looking to steal intellectual property and monetize it through ransom demands.
Expanding Targets and New Tactics U.S. law enforcement has been warning companies about the North Korean IT worker scheme for years. North Korean government employees often use fake identities to get hired, earning salaries that fund Pyongyang’s military programs while gaining access to sensitive financial and military information. While this operation initially focused on the cryptocurrency industry, the hackers have since shifted to targeting intellectual property across industries.
According to Amazon’s Chief Security Officer Stephen Schmidt, there are now signs of collaboration between North Korea and China. He noted that some of the information targeted by the North Koreans, such as data on chip production and supply chains, may not directly benefit North Korea but could be shared with Chinese intelligence agencies. While concrete evidence of China’s involvement is still lacking, there are indications of a tight intelligence-sharing relationship between the two countries.
Avoiding Detection The North Korean IT workers have become increasingly sophisticated in avoiding detection. Secureworks investigators found that the workers often request the use of personal laptops or attempt to reroute company laptops to “laptop farms,” often in China or Russia, allowing them to appear as though they are working in the U.S. or other target countries.
To mask their identity during video calls—one of the primary ways they are identified—these hackers have begun using software like SplitCam, which allows them to manipulate video feeds and hide their true location. Additionally, they use tools like Chrome Remote Desktop and AnyDesk to manage corporate devices remotely while masking their IP addresses.
Financial Tactics and Coordination Another red flag identified by Secureworks was the manipulation of financial information. The fake IT workers frequently updated their bank account details, often using Payoneer to circumvent traditional banking systems and avoid detection. Secureworks found that these workers often provided job references for one another, used similar email formats, and even shared jobs among themselves, with one persona replacing another after termination. In some cases, a single individual used multiple identities to communicate with employers.
The Justice Department has already arrested several U.S. citizens involved in setting up “laptop farms” that enable North Korean workers to appear as though they are based in the U.S. but are, in reality, operating from foreign countries. Despite these arrests, North Korea’s IT worker scheme continues to expand, and its tactics are growing more sophisticated.
A Broader Threat The infiltration of IT roles by North Korean hackers represents a serious threat to the organizations they target. The stolen data is not only used for extortion but also potentially shared with foreign governments, raising significant national security concerns. As North Korean operations evolve, companies must remain vigilant, strengthening their cybersecurity measures to prevent fraudulent hires and ensure that sensitive data remains protected.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
