A company unknowingly hired an employee for a remote position, only to later find itself a victim of a meticulously planned cyberattack by North Korean criminals. According to a report from a cybersecurity firm, the incident reveals how North Korean hackers infiltrate Western companies by using fake identities to register.

The hacker involved provided fabricated personal information and work experience details, successfully securing a job at a company operating in the UK, USA, and Australia. To maintain anonymity for the sake of the report, the individual's identity remains undisclosed. After being hired this summer, the hacker received the tools necessary for remote work. The report states that the infiltrator quietly downloaded a large amount of sensitive data using the company's credentials. In just four months, he stole crucial information without the company's knowledge, all while continuing to receive a salary for his "work."

To avoid international sanctions, hackers transferred the funds they earned through a complex money laundering network to North Korea. When the company finally decided to fire him due to poor performance in performance evaluations, the hacker responded by sending a ransom email. He threatened that if he was not paid in cryptocurrency for the stolen data, he would cause losses to the company. It is currently unclear whether the company has succumbed to these demands.

This case has drawn serious concern from the business community, with experts warning that North Korea's cyber activities are on the rise. Businesses must take robust security measures to protect themselves from such threats. Additionally, employees working remotely should always exercise caution when providing confidential and identifying information to the company.

Researchers from the Counter Threat Unit () have observed patterns and evolution in the schemes orchestrated by operatives linked to the North Korean government. In these schemes, North Korean nationals use stolen or falsified identities to secure employment in Western companies under false pretenses. Such activities have been documented in the United States, the United Kingdom, and Australia. Incident response personnel have identified technical and behavioral characteristics associated with these schemes through multiple investigations.

In certain cases, fraudulent workers, after gaining internal access, demand ransom payments from their former employers, a tactic not previously seen in earlier schemes. In one instance, a contractor almost immediately leaked proprietary data after starting work in mid-year. Multiple observed characteristics align with fraud schemes previously executed by a threat organization, which has historically relied on fraudulent workers to generate revenue for the North Korean regime. These funds are reportedly used for weapons programs.

A strategy observed by the FBI and documented by involves fraudulent contractors requesting changes to the delivery addresses of company laptops, typically rerouting them to service providers of laptop farms. In some cases, contractors request permission to use personal laptops instead of company-issued devices and exhibit a strong preference for Virtual Desktop Infrastructure (VDI) setups.

At least one instance involved a company laptop that had already been shipped, but the contractor requested a change of delivery address during transit, leading to the company canceling the shipment. This behavior aligns with tactics to avoid using company laptops, potentially eliminating the need for domestic service providers and limiting access to forensic evidence.

This strategy allows contractors to remotely access the organization's network using personal laptops. In one case, a contractor leaked proprietary data to a personal location through enterprise solutions. Using addresses within the address space and residential proxy addresses to access company data, the actual source address used for malicious activities was concealed.

Shortly after the organization terminated the contractor's employment for poor performance, the company received a series of emails from external email addresses. One email contained an archive attachment with evidence of stolen data, another demanded a six-figure ransom in cryptocurrency to avoid the release of the stolen files. Later that day, an email from an address shared a folder containing more evidence of the stolen data.

Event response personnel also observed threat actors using remote desktop remote management and accessing company systems. They also used it for remote access, which was not in line with their job responsibilities. During an incident, analysis of logs revealed connections to an IP address, indicating that the application was part of a toolkit.

Historically, North Korean operatives have made every effort to avoid enabling video during calls, even claiming network camera issues on company-issued laptops. Forensic evidence indicates that they utilized free software advertised as virtual video cloning. They likely employed this to facilitate company video calls while attempting to conceal the identities and locations of fraudulent employees.

The threat actors also frequently exhibit suspicious financial behavior. During their employment, they update their bank accounts multiple times in a short period to receive their salaries. Researchers observed the usage of bank accounts operated by digital payment services. Fraudulent North Korean workers typically use such payment services to bypass traditional banking systems.

Many North Korean operatives plan to establish connections among multiple fraudulent contractors employed by the same company. Investigations reveal that there are connections among the contractors, who provide each other with references, hold similar job roles, and use similar resumes and email formats. These individuals often adopt similar characteristics and behaviors in their roles, including rescheduling deliveries and processing payroll.

The emergence of ransom demands marks a significant departure from previous schemes. However, the activities observed prior to the ransom are consistent with previous plans involving North Korean workers. In addition to common features such as resume styles, address and payment changes, and differences in work history, researchers also observed that the residential proxy network infrastructure originated from specific subnets used in both the ransom event and previous fraudulent worker incidents.

In many fraudulent labor schemes, perpetrators demonstrate economic motives by maintaining employment and receiving salaries. However, extortion incidents indicate that they have expanded their operations to include the theft of intellectual property and may obtain additional financial gains through extortion. This shift significantly alters the risk profile of organizations inadvertently employing North Korean workers.

Organizations should be wary of fully remote job candidates who exhibit most of the following characteristics. While these traits individually may seem harmless, their combination could indicate potential fraud and warrant additional identity and employment eligibility checks. Candidates for a full-stack developer position who claim to have - years of experience, list - previous employers, frequently demonstrate junior to intermediate English writing and speaking skills, submit a resume that appears to be plagiarized by multiple job seekers, communicate at unusual times of the day and use various communication methods, make excuses for not enabling their camera during interviews, or refuse to disable virtual backgrounds, and sound as if they are speaking from a call center environment.

Researchers suggest that organizations should thoroughly verify the identity of candidates by checking the consistency of documents, including their names, nationality, contact information, and work history. Conducting face-to-face or video interviews and monitoring suspicious activities (such as long pauses in speech) during video calls can uncover potential fraud. Organizations should be wary of requests from candidates to change addresses during the onboarding process and to transfer salaries to remittance services. Personnel should restrict the use of unauthorized remote access tools and limit access to non-essential systems.