North Korean fake IT worker scams are evolving to incorporate theft and extortion as more examples of targeting against technology and other companies emerge.
The deception typically features North Korean operatives posing as legitimate IT professionals in attempts to gain employment at Western firms, almost always for positions that offer remote working options.
Once hired, these “remote workers” exploit their insider access to carry out reconnaissance against a firm’s infrastructure and steal sensitive information while collecting a salary that is funnelled back to the North Korean regime.
Faking IT
In one recent case, a candidate that security firm Exabeam was considering for an open position displayed enough technical knowledge to get past an initial interview with human resources staff. Even during this initial interview, recruiters flagged the responses from the candidate as “somewhat scripted.” Soon, during interviews with department heads, the wheels would begin to fall off.
The online interview for the full-time senior governance, risk, and compliance analyst position with Jodi Maas, GRC team lead, and Exabeam CISO Kevin Kirkwood was “odd” from the start.
“Her eyes weren’t moving, the lips weren’t in sync, and the voice was mechanical,” Kirkwood told CSO. “It was like something from a 1970s Japanese Godzilla movie.”
Kirkwood and his colleague quickly concluded that they were interviewing a candidate using deepfake video technology. Delays in replies, and the mechanical nature of responses, suggested that the job candidate was attempting to use voice translation technology in responding to questions.
“This was easy to detect, but the technology is going to improve and we’re going to get more challenging deepfakes in future,” Kirkwood warned.
Created using deep learning AI, deepfake images, video, and audio are viewed by cybercriminals as a new, powerful tool for use in social engineering and extortion campaigns. According to a recent survey from Deloitte, cybercriminals are already targeting more than a quarter of all companies, with a focus on financial data.
After the interview, Maas and Kirkwood worked with their HR colleagues to revamp Exabeam’s recruitment process to introduce even more stringent safeguards, including an insistence on video interviews for remote job applicant candidates, and additional staff training.
Potential employers are urged to verify candidates’ identities and documentation, and to be wary about suspicious activity during video calls. During the process of onboarding new recruits companies should be especially wary about the unauthorized use of remote access and VPN tools.
More than 300 businesses are believed to have fallen victim to the fake worker IT scam that is estimated to have generated millions in revenue for the North Korean regime. In August, EDR vendor CrowdStrike released a report on how one North Korean group infiltrated over 100 companies through impersonation campaigns.
DPRK [North Korean] IT workers can individually earn more than $300,000 a year in some cases, and teams of IT workers can collectively earn more than $3 million annually, the US Department of State, US Treasury, and FBI warned in a joint advisory in May 2022.
Security awareness vendor KnowBe4 inadvertently hired a North Korean IT worker who unsuccessfully attempted to breach its network. KnowBe4 went public with its experiences in a blog post that offer a detailed look at how the scam works in practice.
More background on the fake worker IT scam — alongside tips on its detection — can be found in CSO’s August 2024 feature “How not to hire a North Korean IT spy.”
Extortion enters the mix
In a new twist on the fraudulent North Korean IT worker scam. Miscreants have added extortion based on the theft of proprietary data to their playbook.
Cybersecurity incident response firm Secureworks reports a case in which a contractor exfiltrated proprietary information from an unnamed company almost immediate after their employment began in mid-2024.
Poor performance meant that the worker was fired after four months but just days later the company received a series of emails, including zip archive files containing proof of purloined intellectual property, alongside extortionate demands to pay a six-figure sum in cryptocurrency to avoid the publication of the sensitive stolen information.
It’s unclear if the victim complied with this extortionate demand.
Secureworks reports that it has investigated several similar incidents involving North Korean IT workers making extortionate demands after “gaining insider access, a tactic not observed in earlier schemes.”
North Korea is targeting companies in North America, Europe, and Australia as part of its ongoing and evolving scam, prompting warnings from the UK government and others.