Thought Leadership
Once again, a company has fallen victim to a hacker attack after unknowingly hiring a North Korean cybercriminal as a remote IT employee.
The company concerned, which wishes to remain anonymous, has allowed the cybersecurity specialists at Secureworks to publicize the incident in order to raise public awareness of the threat and warn other companies.
According to Secureworks, the suspected male IT employee was hired in the summer. Once he gained access to the company network, he began downloading sensitive company data and then made a ransom demand. The hacker had falsified his employment history and personal details to get the job. He worked for the company for four months and received a salary that was most likely transferred to North Korea through complex money laundering channels to circumvent Western sanctions against the isolated country.
After the company fired the hacker for poor performance, it received blackmail emails containing some of the stolen data and demanding a six-figure ransom in cryptocurrency. The hacker threatened to publish the captured information or sell it online if the company did not pay. The company, which is said to be based in the Anglo-Saxon region, did not disclose whether the ransom was paid.
North Korea again and again
This incident is one in a series of cases in which North Korean citizens have posed as Western remote workers. Of particular concern is the fact that some of these IT specialists hold several jobs at the same time, pocketing substantial monthly salaries that flow directly into the coffers of the North Korean regime. The cyber security firm Mandiant uncovered a particularly serious case in which a single “facilitator” in the USA compromised the identities of over 60 people, thereby damaging around 300 US companies. Through these fraudulent activities, he managed to transfer at least 6.8 million US dollars to North Korean IT workers.
According to Secureworks’ observations, North Korean hackers go to great lengths to avoid using company laptops and disguise their actual location. In some cases, the hackers asked to use their own private laptops or a virtual desktop infrastructure. Others simply changed the shipping address to send their work equipment to a laptop farm disguised with a US IP address.
Rafe Pilling, Director of Threat Analysis at Secureworks, emphasizes that this is a worrying escalation of risk by North Korean IT forces. It is no longer just about a steady income, but about higher sums of money that are to be captured through data theft and blackmail within a very short time. Authorities are urging employers to be vigilant with new employees, especially if they work exclusively remotely.
It was only in July that the security awareness provider KnowBe4 revealed that it had inadvertently hired a North Korean hacker. Fortunately, the cybercriminal in this case was exposed before he could cause any damage.
