+

Cookies on the Business Insider India website

Business Insider India has updated its Privacy and Cookie policy. We use cookies to ensure that we give you the better experience on our website. If you continue without changing your settings, we\'ll assume that you are happy to receive all cookies on the Business Insider India website. However, you can change your cookie setting at any time by clicking on our Cookie Policy at any time. You can also see our Privacy Policy.

Close
HomeQuizzoneWhatsappShare Flash Reads
 

A company's remote-working hire turned out to be in North Korea. He tried to hold it to ransom.

Oct 17, 2024, 19:59 IST
Business Insider
A North Korean IT worker stole sensitive company data and tried to hold it to ransom after being fired.Zhanna Danilova/Getty Images
  • A company accidentally hired a North Korean IT worker for a remote job.
  • He stole data and then tried to hold it to ransom after being fired, according to Secureworks.
Advertisement

A company accidentally hired a North Korean remote IT worker, who later stole sensitive company data and attempted to hold it to ransom after being fired, according to an American cybersecurity company.

The FBI has previously said that there are thousands of North Korean IT workers posing as non-North Koreans to get remote jobs in the US, to funnel money back to the North Korean state.

However, this extortion strategy seems to mark a shift in their tactics.

Secureworks, which shared details of the incident with Business Insider, said its Counter Threat Unit, or CTU, uncovered the activity after the unnamed company, based in either the US, UK, or Australia, received an extortion demand.

According to BBC News, the company hired the technician as a contractor after he had falsified his employment history and personal details.

Advertisement

Early into his four-month employment, he used remote-work tools to infiltrate the company's systems, downloading a large amount of company data, per Secureworks.

Secureworks said the worker was later dismissed for poor performance and that, soon after, the company began receiving emails with attachments containing evidence of stolen data.

It said the company also received an email demanding a six-figure sum in cryptocurrency to not publish it or sell the information online.

It is unclear if the ransom was paid. Secureworks said it doesn't comment on individual cases, but added that many companies would be prohibited from paying a ransom due to international sanctions on North Korea.

Secureworks' CTU said salaries received via North Korean fraudulent IT worker schemes seek to bypass these sanctions to generate revenue for the country.

Advertisement

Last year, FBI leaders warned that the money earned in salaries was being funneled to North Korean weapons programs.

This incident, however, was slightly different, said Rafe Pilling, director of threat intelligence at Secureworks' CTU.

"No longer are they just after a steady paycheck," he told BI in a written statement. "They are looking for higher sums, more quickly, through data theft and extortion, from inside the company defences."

Pilling advised organizations to remain vigilant for individuals trying to gain employment under pretenses.

He said they should seek to run identity checks and do in-person or video interviews, as well as be wary of suspicious requests, such as attempts to reroute corporate IT equipment sent to the contractor's purported home address.

Advertisement

Last month, Charles Carmakal, chief technology officer of cybersecurity firm Mandiant Consulting, said in a LinkedIn post that North Korean IT workers were increasingly infiltrating the US economy, with dozens of Fortune 100 organizations having been targeted.

Carmakal said that Mandiant investigations had found that North Korea was using a team of US-based facilitators that received company laptops from US employers, and would then often run laptop farms from their homes.

He said these facilitators sometimes deployed Remote Monitoring and Management software on the laptops, allowing North Korean IT workers to connect to the system remotely.

In May, prosecutors accused an Arizona woman of aiding North Koreans to secure US remote-work jobs, which included positions at Fortune 500 companies.

Prosecutors said in an April indictment that the workers used IP addresses to make it appear that they were working from her house and within the US.

Advertisement

A Ukrainian man was also accused of operating "laptop farms" for North Korean workers.

According to Jake Moore, a global cybersecurity advisor for cybersecurity software firm ESET, "Insider threats are still a major concern for businesses but especially for organizations that are targeted with nation-state threats."

He told Business Insider that thorough vetting and background checks are often the "only fallback" to prevent rogue access to sensitive company data. He added that these processes can be time-consuming but ultimately worthwhile.

"Giving away the keys to the castle from within has always been high risk but with prevailing international threats, new measures in improved vetting employees must be taken," he said.

You are subscribed to notifications!
Looks like you've blocked notifications!
Next Article