The latest in North Korea’s fake IT worker scheme: Extorting the employers

North Korean government officials surreptitiously hired as IT workers at U.S. and U.K. companies are attempting to extort the organizations after gaining access to insider information.

The extortion attempts represent a new wrinkle in an North Korean operation using stolen or fake identities to place people inside companies in North America, Europe and Australia, according to incident responders at Secureworks Counter Threat Unit.

After several incident investigations, Secureworks researchers said the fraudulently hired workers “demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes.”

“In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024,” the researchers said in a report released on Wednesday.

“Soon after the organization terminated the contractor’s employment due to poor performance, the company received a series of emails from an external Outlook email address. One of the emails included ZIP archive attachments containing proof of the stolen data, and another demanded a six-figure ransom in cryptocurrency to avoid publication of the stolen documents.”

The contractor provided more evidence of stolen information in another email from a Gmail address. 

The ransom incident shows that the North Koreans have expanded operations “to include theft of intellectual property with the potential for additional monetary gain through extortion,” Secureworks said. 

“This shift significantly changes the risk profile for organizations that inadvertently hire a North Korean IT worker,” they added. 

U.S. law enforcement agencies have spent years warning companies of the scheme, which involves North Korean government workers obtaining employment and salaries from Western companies that are used to not only fund Pyongyang’s military programs but also to gain access to sensitive financial or military information. 

While the scheme initially focused on cryptocurrency firms, in recent years it has expanded to dozens of Fortune 100 companies.

Last week, Amazon Chief Security Officer Stephen Schmidt lent credence to the idea that the North Korean campaign to get threat actors hired in IT roles is expanding and evolving as law enforcement efforts have increased. 

During a discussion with reporters at Amazon’s Virginia headquarters, Schmidt said there are indications of Chinese involvement in the IT worker schemes. 

“In our conversations with the intelligence partners that we work with, it is really obvious that there is a probability that they are also sharing information with the Chinese. The probability is because I don’t know of direct evidence which proves, however, there is clear indication that there is a tight intelligence-sharing relationship on the backside there,” he said. 

“Some of the material that the North Koreans have attempted to access, does it have direct applicability to what the North Koreans traditionally look for?” 

Schmidt said North Korean actors are typically looking for information about dissidents, foreign currency and military hardware, especially in the ballistic missile space.

But he said Amazon has seen the actors “go after other things like chip production information, or information around supply chain systems, accessibility or industrial control systems, none of which the North Korean government itself is focused on very much.”

“So why are they doing it? Somebody else has asked them, since they have access, and they’re providing that. My supposition, based on individual fact, is that it may be because there’s some kind of reciprocity going on, whether that’s money or information sharing,” he said.  

Several researchers who spoke to Recorded Future News said they have not seen evidence of Chinese involvement and have only seen the threat actors target financial information or data that relates directly to North Korea. 

The Justice Department has charged and arrested several U.S. citizens for running laptop farms that allow the North Korean IT workers to look like they are working in the U.S. when they are likely based in China or Russia. 

Secureworks said it saw fraudulent contractors rerouting company laptops to laptop farms or in other instances demanding to use personal laptops in an effort to avoid needing an “in-country facilitator.” Secureworks saw a contractor exfiltrate proprietary data to a personal Google Drive location through a personal laptop that was approved for remote work. 

In one instance, a worker asked the company to reroute the company laptop to a new address, prompting the organization to cancel the shipment entirely. 

Secureworks said contractors typically use a variety of tools to mask their IP address and remotely manage corporate devices including Chrome Remote Desktop and AnyDesk.

Incident responders also found evidence that the North Korean actors are experimenting with new tools to address one of the key ways their cover is typically blown: through company demands for video calls. 

The actors typically avoid video calls but forensic evidence has shown that they are now using software called SplitCam, a popular tool that allows people to run several video chats at the same time with only one webcam. 

Secureworks explained that the actors have “likely adopted SplitCam to facilitate company video calls while attempting to hide a fraudulent worker’s identity and location.” 

“Based on these observations, it is highly likely that the threat group is experimenting with various methods for accommodating companies’ requests to enable video on calls,” they said. 

Another key indicator of malicious activity is the way the threat actors handle their finances. Incident responders found the fake workers repeatedly updating bank account information and using bank accounts run through digital payment service Payoneer in an attempt to circumvent traditional banking systems. 

Secureworks said its investigations uncovered links between the fraudulent IT workers, who typically provided references for one another, used similar email formats and resumes and performed similar jobs, sometimes at the same company. 

“In one engagement, several connections across multiple contractors employed by the company surfaced, with Candidate A providing a reference for a future hire (Candidate B), and another likely fraudulent contractor (Candidate C) replacing Candidate B after that contractor’s termination (see Figure 3),” they explained. 

“In some instances, the same individual adopts multiple personas. In one incident, two distinct styles of writing observed in the email communications suggested that multiple individuals corresponded via the same email address. This observation indicates that North Korean IT workers are often co-located and may share jobs.”