North Korean workers posing as freelancers are joining companies’ ranks, stealing data then demanding ransoms.
A report on the terrifying antics of some North Korean bad actors has been published and is being held up as a warning to companies.
With Microsoft reporting that ransomware attacks on its customers tripled from last year, this report shows to what lengths criminals will go to get their money.
Evolution in Attack Tactics
The report from SecureWorks’ Counter Threat Unit makes for chilling reading and brings together examples from US, UK, and Australia.
The team writes: “In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes… In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024.”
This just in! View
the top business tech deals for 2024 👨💻
Modus Operandi
The report details that the phoney contractors will often request to work from a personal laptop instead of corporate machines and will also push for a virtual desktop infrastructure.
“This tactic allows the contractors to use their personal laptops to remotely access the organization’s network. In one case, the contractor proceeded to exfiltrate proprietary data to a personal Google Drive location via a corporate VDI solution” -the report.
It adds that some contractors have even gone as far as to change the delivery address for a corporate machine, sending it to a facilitator at a laptop farm.
Warning Issued
SecureWorks has published a list of characteristics, which it explains may be “individually benign” but “a combination could indicate fraudulent activity and should prompt additional identity and employment eligibility checks.”
They include 3-4 employees listed previously sharing a resume containing elements that appear to be cloned by several applicants. They might also “provide excuses for not enabling their camera during interviews or refuses to disable virtual backgrounds.”
SecureWorks adds: “Conducting in-person or video interviews and monitoring for suspicious activity (e.g., long speaking breaks) during video calls can reveal potential fraud.”
Rafe Pilling, Director of Threat Intelligence at Secureworks CTU, told The Hacker News that this report reflects that there has been a step up from criminals and they are now being more brazen in their attacks.
“This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers,” he said in a statement. “No longer are they just after a steady paycheck, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defenses.”
