news-21102024-225936

A major security breach occurred when a US company unknowingly hired a North Korean IT worker who, after being fired, stole sensitive data and demanded a ransom. The FBI has warned that thousands of North Korean hackers disguise themselves as legitimate remote workers in the US to siphon money back to their government.

While previous incidents involved data theft and espionage, this extortion attempt suggests a new, more brazen tactic. Secureworks’ Counter Threat Unit (CTU) uncovered a North Korean cyberattack targeting an unnamed US, UK, or Australian company. The company was hit with an extortion demand, prompting Secureworks to share details of the incident with Business Insider.

BBC News revealed that the company hired the North Korean technician as a contractor, unaware he had lied about his employment history and personal details. Secureworks reported that the North Korean technician, working remotely, used company tools to infiltrate the network and download a substantial amount of sensitive data during his short tenure.

SecureWorks revealed that the North Korean technician was eventually terminated due to poor performance. Shortly afterwards, the company started receiving emails containing stolen data as evidence of a cyberattack. The company was blackmailed with a demand for a six-figure ransom in cryptocurrency if they wanted to prevent the stolen data from being leaked online or sold on the dark web.

SecureWorks stated that due to international sanctions on North Korea, many companies would be prevented from paying the ransom demanded by the hackers. However, it declined to comment on the specifics of this particular case. The company revealed that the salaries earned by North Korean hackers posing as legitimate remote workers aim to circumvent international sanctions and generate revenue for the North Korean government.

In 2023, FBI officials warned that these funds were being diverted to support the country’s weapons programs. According to Rafe Pilling, director of threat intelligence at SecureWorks’ CTU, this incident represented a minor departure from the usual tactics employed by North Korean hackers. He advised companies to exercise caution and be wary of individuals who may be trying to infiltrate their organisations under false pretences.

Secureworks’ CTU recommended that companies implement rigorous identity verification procedures, conduct face-to-face or video interviews, and be vigilant for suspicious requests, such as efforts to redirect corporate IT equipment to a purported home address. In a recent LinkedIn post, Charles Carmakal, chief technology officer of cybersecurity firm Mandiant Consulting, warned that North Korean IT workers were increasingly infiltrating the US economy, with dozens of Fortune 100 companies falling victim to their attacks.

Mandiant investigations, led by Carmakal, revealed that North Korea was employing a team of US-based facilitators to obtain company laptops from US employers and run laptop farms from their homes. He further revealed that the North Korean-backed facilitators would install Remote Monitoring and Management software on the company laptops, allowing North Korean hackers to connect to the systems remotely.

In May, 49-year-old Arizona woman Christina Marie Chapman was arrested for allegedly helping North Koreans secure remote US jobs in Fortune 500 companies and launder the earnings back to their government. She faces nine charges, including conspiracy to defraud the United States. Moore emphasised that rigorous vetting and background checks are often the only way to prevent unauthorised access to sensitive company data. While these processes can be time-consuming, they are important.