Oct 20

North Korean Cybercriminal Infiltrates Firm as Remote IT Worker, Launches Ransom Attack

By G. Mudalige, Jadetimes Staff

G. Mudalige is a Jadetimes news reporter covering Technology & Innovation

North Korean Cybercriminal Infiltrates Firm as Remote IT Worker, Launches Ransom Attack — Image Source : Knowbe4

A company has fallen victim to a cyberattack after unknowingly hiring a North Korean cybercriminal posing as a legitimate IT worker. The incident highlights the growing risk of North Korean hackers infiltrating Western firms by securing remote employment through falsified resumes and fake credentials. Once hired, the hacker gained access to sensitive company data, which was later held for ransom.

The unnamed company, based in the UK, US, or Australia, hired the hacker as a remote contractor during the summer. Posing as an experienced IT technician, the North Korean cybercriminal successfully manipulated the hiring process by providing fabricated employment history and personal details. Upon gaining access to the company’s computer network through standard remote working tools, the hacker downloaded sensitive data and demanded a six-figure sum in cryptocurrency in exchange for not releasing or selling the information.

According to cybersecurity firm Secureworks, which was brought in to investigate the breach, the company discovered the hacker's true identity only after terminating his employment due to poor performance. The firm has chosen not to disclose whether the ransom was paid, but the incident has raised concerns about the vulnerabilities companies face when hiring remote workers.

This case is part of a growing trend of North Korean workers infiltrating Western companies to earn income for their regime, which is heavily sanctioned by international authorities. Since 2022, cybersecurity experts and government officials have warned of North Korea tasking thousands of workers with securing high-paying remote jobs in Western companies to funnel money back to the regime. Reports from Secureworks and other cybersecurity firms indicate that many Fortune 100 companies have unknowingly hired North Koreans posing as IT workers, web developers, and other skilled professionals. However, cases where these infiltrators turn on their employers with cyberattacks and extortion, as seen in this latest breach, are less common but represent an escalation in tactics.

Rafe Pilling, Director of Threat Intelligence at Secureworks, expressed concern over this new development. "This is a serious escalation of the risk from fraudulent North Korean IT worker schemes," Pilling said. "No longer are they just after a steady paycheck. They are looking for higher sums, more quickly, through data theft and extortion from inside the company defenses."

The North Korean hacker worked for the company for four months, collecting a salary that was likely laundered through a complex process to avoid international sanctions on North Korea. When the company terminated the contract, it was soon met with ransom emails demanding cryptocurrency payments. These emails contained some of the stolen data as evidence of the breach, with a warning that the hacker would publish or sell the information online if the ransom was not paid. The company, although unnamed, decided to make the hack public through Secureworks to raise awareness about the risks of hiring remote workers from unverified backgrounds.

This latest incident involving a North Korean cybercriminal gaining remote employment as an IT worker serves as a cautionary tale for companies worldwide. The use of fake resumes and altered profiles to secure employment has become a favored tactic of North Korean hackers aiming to exploit Western businesses. Companies must implement stronger cybersecurity measures and hiring practices to avoid falling victim to such schemes in the future.