Cybersecurity experts have warned of a growing risk of infiltration of Western businesses by cybercriminals posing as IT workers and are encouraging firms to tighten their recruitment processes.
The move follows a growing number of instances where North Korean cybercriminal networks have posed as remote IT workers with fake IDs to access corporate networks and steal sensitive company data.
In the past, the US and South Korea have warned of attempts by North Korean cybercriminals to gain employment with Western businesses to earn money for the regime and cause disruption.
Earlier this year cybersecurity outfit Secureworks reported that a firm had been hacked by a cybercriminal after the company accidentally hired him and gave him access to its network.
The worker, who was subsequently revealed to be part of a North Korean threat group NICKEL TAPESTRY, earned a salary with the company but when uncovered, demanded a cryptocurrency ransom for stolen company information.
Rafe Pilling, director of Threat Intelligence at Secureworks’ Counter Threat Unit, declared: “This is a serious escalation of the risk from fraudulent North Korean IT Worker schemes. Within days of joining an organization under the guise of a legitimate contractor, the threat actor accessed and exfiltrated company data.”
“Once the employment contract was complete, they quickly used this as collateral to demand a hefty ransom in return for not publishing the stolen data.”
Pilling said that there is a lot employers can do in the recruitment process, with identity checks and in-person or video interviews, which can be used to monitor for suspicious activity such as long pauses in conversation.
Other giveaways include attempts to re-route corporate IT equipment sent to the contractor’s declared home address, routing paychecks to money transfer services and accessing the corporate network with unauthorised remote access tools, he added.
Growing threat
Javvad Malik, lead security awareness advocate at KnowBe4, said that fraudulent North Korean IT worker schemes were a growing threat.
“A common misconception is that nation-state cybercriminals primarily target the United States. However, recent evidence suggests it’s a more ubiquitous threat, with significant activities targeting the UK, Australia, and other regions globally,” said Malik.
Businesses need more than the right cybersecurity tools to protect themselves, he added.
“From entry-level employees to C-suite executives, each individual plays a pivotal role in maintaining the organisation’s security.”
Knowbe4 itself has been victim to North Korean hackers, after the firm confirmed it had hired an “AI developer” who turned out to be part of a North Korean hacking gang.
Speaking exclusively to TechInformed, KnowBe4 security awareness advocate Erich Kron said the firm quickly noticed that the rogue actor was downloading hacking tools when using its network, and shut him out of the network within 25 minutes.
“We only grant limited permissions to new employees as they proceed through our new hire onboarding process… so the only thing he had access to start with was his training modules.
“We’re a very security-conscious company – so when we confronted him, he said he was trying to fix something with his router for Wi-Fi. That didn’t add up – so within 25 mins he was shut off the network.”
The North Korean gang had used AI-generated photos alongside a stolen US identity to create the hacker’s personal. KnowBe4 has since published a blog about the incident to help other organisations prepare for similar threats.
Not the Who, but the How?
“In the aftermath of a cyber incident, attribution often becomes a focal point. However, the process of identifying the perpetrators is complex and frequently inconclusive,” said Malik.
“Rather than fixating on the ‘who,’ organisations benefit more from focusing on the ‘how.’ Understanding the tactics, techniques, and procedures used in an attack provides more actionable insights for improving defences.”
“It requires organisations to adopt a proactive, rather than reactive, approach to security. This involves continuous learning, adaptation, and a healthy dose of scepticism.”
