- The Frontier of Security: Safeguarding Non-Human Identities
- Could your job be at risk due to AI? Do this before it's too late
- Your customers don't want more AI - here's what to invest in instead
- My new favorite travel accessory is a 3-in-1 MagSafe charger that's smaller than a cookie
- The Cybersecurity Checklist: Top Methods and Tools for Protection And Mitigation
North Korean IT Workers Holding Data Hostage for Extortion, FBI Warns
The FBI has warned that North Korean IT worker schemes are stealing data to extort their victims as part of efforts to generate revenue for the Democratic People’s Republic of Korea (DPRK).
The US intelligence agency confirmed it has observed North Korean IT workers engaging in this tactic over recent months. This involves exfiltrating stolen proprietary data and code from their former employers. This information is then held “hostage” until the ransom demand is met.
In some cases, this sensitive data has been publicly released when the victim organizations have refused to pay the ransom.
As part of this move to data extortion, North Korean IT workers have escalated the ways they access and exfiltrate company data, the advisory noted.
This includes copying company code repositories, such as GitHub, to their own user profiles and personal cloud accounts. This activity represents a large-scale risk of theft of company code.
The FBI also warned that these workers could attempt to harvest sensitive company credentials and session cookies to initiate work sessions from non-company devices and for further compromise opportunities.
Read now: US Uncovers North Korean IT Worker Fraud, Offers $5M Bounty
Continued Victimization of US Businesses
North Korean IT worker schemes have targeted US organizations for several years and their tactics have undergone a significant evolution in tactics deployed.
A US government advisory in May 2022 warned that IT workers from North Korea were taking advantage of the shift to remote work to help obfuscate their identities and gain freelance employment contracts from organizations based in the US, Europe and East Asia.
This follows the DPRK placing years of focus on education and training in IT-related subjects for its citizens.
Once employed, these workers’ salaries are used to support the DPRK government. This initial advisory warned there was also evidence the workers were using their privileged access to enable malicious cyber intrusions.
However, in the past year, security researchers have highlighted significant escalations in the tactics used by fake North Korean IT workers, such as stealing data from their employers.
In July 2024, cybersecurity firm KnowBe4 revealed it was duped into hiring a fake IT worker from North Korea, resulting in immediate attempted insider threat activity. The fake worker gained employment after using a valid but stolen US-based identity.
In October 2024, Secureworks warned that North Korea have adopted new tactics to escalate fake IT worker insider attacks, including extorting their former employers. In one case observed by the firm, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024, before threatening to publish the data online in a ransom demand sent to their former employers.
The FBI said its new advisory is designed to raise public awareness of these IT workers’ schemes “increasingly malicious activity.”
How to Detect North Korean IT Worker Schemes
The advisory set out a range of recommendations for businesses to strengthen hiring practices to avoid handing employment to North Korean workers.
These include:
- Implement identity-verification processes during interviewing, onboarding and throughout the employment of any remote worker, as North Korean IT workers often use AI and deepfake tools to obfuscate their identities
- Cross-check HR systems for other applicants with the same resume content and/or contact information
- Educate HR staff, hiring managers, and development teams regarding the North Korean IT worker threat, specifically focusing on changes in address or payment platforms during the onboarding process
- Review each applicant’s communication accounts, as North Korean IT workers have reused phone numbers and email addresses on multiple resumes purportedly belonging to different applicants
- Complete as much of the hiring and onboarding process as possible in person
The FBI also urged firms to employee extensive data monitoring practices to quickly detect any suspicious activity carried out by North Korean workers using their privileged access.
These should have a particular focus on monitoring unusual network traffic and logs and browser session activity to identify data exfiltration.
US Issues Charges for DPRK IT Worker Scheme
On January 23, the US Department of Justice (DoJ) announced charges against five individuals for an IT worker scheme designed to generate revenue for North Korea.
Two North Korean nationals, a Mexican national and two US nationals have been accused of a years-long plot to install North Korean IT workers as remote employees in US companies.
From approximately April 2018 through August 2024, the defendants and their unindicted co-conspirators allegedly obtained work from at least 64 US companies. The defendants used forged and stolen identity documents to circumvent sanctions to obtain employment.
Payments from 10 of those companies generated at least $866,255 in revenue, most of which the defendants then laundered through a Chinese bank account.
If convicted, the defendants face a maximum penalty of 20 years in prison.
