Employers beware: North Korean hackers could be posing as your latest IT hire


Members of a stealthy North Korean hacking group are applying for IT jobs at companies across the US, UK, and Australia. Once hired, the bad actors steal your company's trade secrets and hold them for ransom, according to a new report by Secureworks released Wednesday.

It’s the latest evolving insider threat for employers and the latest tactic being used by the Democratic People’s Republic of Korea (DPRK) to infiltrate the technology sector in search of proprietary trade secrets, Secureworks' Counter Threat Unit (CTU) said.

At the heart of the IT worker scam’s most recent iteration – which according to Secureworks, has “not been observed in earlier schemes” – is the threat group known as Nickel Tapestry.

ADVERTISEMENT

Members of the North Korean-linked group, operating in multiple clusters known as ‘laptop farms,’ are known to use “stolen or falsified identities” to fool the HR departments into believing they are legitimate job seekers, often applying for developer positions in Western companies.

In some instances, the fake workers were even found using ‘Splitcam’ – a live-streaming software program that allows users to create AI clones of themselves – to carry out video calls, hiding their identity and location, the cybersecurity company revealed.

Similar IT worker schemes have been discovered operating on behalf of the North Korean government since as early as 2018, according to various FBI warning reports.

Fraudulent workers weasel their way into cush jobs at Fortune 100 tech companies, collecting hundreds of thousands in paychecks, which get funneled back to the North Korean government for national weapons programs, including weapons of mass destruction (WMD), the research shows.

Nickel Tapestry Laptop Farm
Laptop farm setup to hide fraudulent North Korean IT workers’ location. Image by Secureworks

In fact, US security awareness training company KnowBe4 was the latest high-profile victim to fall for a comparable scam, leading to the August arrest of a Tennessee man running one of the laptop farms used by the fake North Korean workers to deceive employers and launder funds.

And, in September, Pyongyang’s cyber warriors were reported to be posing as fake recruiters from major financial firms, such as Capital One, luring developers into downloading malware hidden within Python coding packages.

The resulting bust led to the US Department of Justice offering up a $5 million reward for information leading to the disruption of any of the multiple IT worker schemes in operation today, some of the ruses even set up in coordination with China.

ADVERTISEMENT

The new hire deception

CTU researchers say in a recent case example from earlier this year, once the so-called ‘new employee’ was hired and had established insider access, they immediately began to exfiltrate proprietary data, got fired for "poor performance," and then tried to extort the company – demanding a six-figure ransom for the stolen data.

The addition of the extortion tactic “reveals that Nickel Tapestry has expanded its operations to include theft of intellectual property with the potential for additional monetary gain… significantly changing the risk profile for organizations” inadvertently falling victim to the scheme, Secureworks wrote in the blog report.

The fake workers were said to try and convince the company to allow them to use their own personal computers with virtual desktops to avoid detection and remotely access the organization’s network, a tactic commonly used by Nickel Tapestry.

CTU described another instance where a fake worker had attempted to transfer sensitive files directly into their own personal Google Drive.

Secureworks also witnessed the threat actors using Chrome Remote Desktop and AnyDesk to remotely manage and access corporate systems, atypical to their job roles.

Besides finding excuses to sidestep turning on video cameras during company calls, CTU researchers said the bad actors would also display “suspicious financial behaviors,” including multiple requests to update bank account information and to have paychecks deposited into digital payment services to avoid using traditional banks.

Finally, the fake workers would also support each other's ruse – claiming to be from the same fake company, providing references for one another, and even performing job duties and email communications for each other. In one scenario, researchers say one individual “adopted multiple personas” for the scheme.

ADVERTISEMENT

How to spot a fake IT worker

To avoid becoming a victim of an IT worker scam, CTU researchers say organizations should “thoroughly verify candidates’ identities by checking documentation for consistency, including their name, nationality, contact details, and work history.”

Secureworks also provides a list of behavioral characteristics commonly associated with the North Korean IT worker scam. The researchers also say that a combination of the worker traits would constitute the biggest red flag warning to trigger more digging into a candidate, including:

  • Applies for full stack developer position.
  • Claims 8-10 years of experience, with 3-4 previous employers.
  • Novice to intermediate English writing and speaking skills.
  • Resume contains cloned elements from several other applicants.
  • Hours of communication are unusual for listed address, uses various communication styles.
  • Provides excuses for not enabling their camera during interviews or refuses to disable virtual backgrounds.
  • May sound like they are speaking from a call center environment.

The researchers say companies should also conduct job interviews in person or by video chat and monitor for suspicious activity during those interviews, such as long breaks between answers.

Other shady behavior to look out for includes new hires who immediately request to change their address or try to change the delivery address for company laptops and other computer equipment while en route.

Robust cybersecurity measures such as adhering to access management policies would further prevent the hackers from unauthorized remote access to sensitive files and company systems, Secureworks noted.