The recent analysis by Secureworks highlights a concerning escalation in the tactics employed by North Korean IT workers who infiltrate Western companies under false identities. Traditionally known for stealing intellectual property, these fraudulent workers have begun demanding ransom payments in exchange for not leaking the stolen data. This tactic marks a significant evolution in their financially motivated operations.In mid-2024, one such contractor was reported to have exfiltrated proprietary data shortly after being hired, showing the immediate risk these actors pose to organizations. The activity is attributed to a threat group tracked as Nickel Tapestry, also known by the aliases Famous Chollima and UNC5267.

The fraudulent IT worker scheme orchestrated by North Korean actors is a sophisticated insider threat operation designed to advance the nation’s financial and strategic goals, especially as the country faces international sanctions. North Korean IT workers, often stationed in countries like China and Russia, pose as freelancers to infiltrate Western companies. In some cases, they even steal the identities of legitimate U.S.-based individuals to achieve their objectives. The Secureworks analysis highlights the need for stringent monitoring of remote workers, tighter control over hardware shipments, and more rigorous identity verification processes to mitigate the risks associated with this evolving threat.

TECHNICAL DETAILS

1.    CWE-284: Improper Access Control

• Description: Improper enforcement of access controls allows users to access resources they should not be able to.
• Relevance: The use of unauthorized remote access tools (e.g., TeamViewer, AnyDesk) to access company networks is a form of improper access control.

2.    CWE-522: Insufficiently Protected Credentials

• Description: Credentials are stored or transmitted in a way that allows unauthorized actors to steal or misuse them.
• Relevance: These North Korean workers could steal or reuse compromised credentials to access corporate systems, enabling data theft and extortion.

3.     CWE-610: Externally Controlled Reference to a Resource in Another Sphere

• Description: Allowing an external entity to control or redirect access to system resources.
• Relevance: The rerouting of company-issued laptops to “laptop farms” where unauthorized software is installed fits this weakness, as the attackers exploit control over a resource (the laptop) intended for legitimate use.

4.    CWE-611: Improper Restriction of XML External Entity (XXE) Reference

• Description: Allowing external XML entities to be used in a way that exposes sensitive data or internal resources.
• Relevance: While not specific to XML, the exfiltration of data using insecure or unmonitored channels is conceptually similar, where improper data handling leads to information leakage.

VULNERABILITY TYPE

1.    Insider Threat Vulnerabilities

• Description: Organizations may have insufficient controls or monitoring to detect malicious behavior from insiders, including contractors or employees. The lack of robust vetting processes can lead to hiring individuals with ulterior motives.
• Examples:
  • Inadequate background checks during the hiring process.
  • Lack of ongoing monitoring of employee behavior after hiring.

2.    Identity Management Vulnerabilities

• Description: Weaknesses in identity and access management (IAM) systems can lead to unauthorized access to sensitive information and systems.
• Examples:
  • Poorly implemented identity verification processes that allow fraudulent identities to bypass security.
  • Inability to track and manage contractor access effectively, leading to lingering access even after contracts are terminated.

3.    Remote Access Vulnerabilities

• Description: Excessive or poorly configured remote access capabilities can expose organizations to significant risks, especially when used by unauthorized personnel.
• Examples:
  • Use of unsecured or non-corporate devices for remote access.
  • Unrestricted access through remote desktop protocols (RDP) or other remote access tools without proper security measures.

4.    Supply Chain Vulnerabilities

• Description: Organizations that rely on third-party suppliers for IT equipment and services can be vulnerable to supply chain attacks, where malicious actors compromise hardware or software before it reaches the organization.
• Examples:
  • Rerouting corporate-issued laptops to unknown intermediaries for installation of malware.
  • Use of third-party contractors with inadequate security practices leading to compromised devices.

5.    Network Security Vulnerabilities

• Description: Weak network security protocols can allow unauthorized access to sensitive systems and data. This includes vulnerabilities in firewalls, intrusion detection systems, and data loss prevention mechanisms.
• Examples:
  • Poorly configured firewalls that do not adequately restrict outbound traffic or monitor unusual patterns.
  • Lack of segmentation in network architecture that allows lateral movement within the network.

Affected Products

1. Cloud-Based Services

Examples: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP)

Risk: Contractors may gain unauthorized access to cloud resources, manipulate or exfiltrate data stored in cloud environments, or compromise access keys to services. The use of remote access tools can allow lateral movement within these environments.

2. Remote Access Tools

Examples: TeamViewer, AnyDesk, LogMeIn, Remote Desktop Protocol (RDP)

Risk: Unauthorized or improperly monitored use of these tools can allow fraudulent workers to access corporate systems remotely, bypassing traditional security measures.

3. Collaboration and Communication Platforms

Examples: Slack, Microsoft Teams, Zoom, Google Meet

Risk: The ability to interact with legitimate employees and systems through these platforms creates opportunities for the malicious contractors to gather sensitive information or attempt social engineering attacks. Avoiding video on platforms like Zoom and Teams is a red flag.

4. Identity and Access Management (IAM) Products

Examples: Okta, Duo, Microsoft Active Directory, Ping Identity

Risk: If contractors manage to bypass identity checks or escalate privileges, IAM systems could be compromised, allowing broader access to corporate data and systems.

5. Endpoint Protection Products

Examples: McAfee Endpoint Security, Microsoft Defender, Symantec Endpoint Protection

Risk: Personal laptops used by contractors may not have the required endpoint security, making them vulnerable to exploitation. Additionally, bypassing corporate devices with endpoint protection installed reduces visibility into potential threats.

IMPACT

1.    Financial Loss

Impact: Beyond ransom payments, financial fraud may occur when workers manipulate payroll or finance systems, reroute payments, or steal company funds. They could also redirect payments to foreign accounts or money transfer services like Western Union, avoiding traditional banking channels.

2.    Legal and Regulatory Consequences

Impact: If sensitive data (especially personal identifiable information—PII or financial data) is leaked, organizations may face regulatory scrutiny and penalties under data protection laws such as GDPR (General Data Protection Regulation) or CCPA (California Consumer Privacy Act).

3.    Reputation Damage

Impact: News of a data breach, extortion attempt, or insider threat operation involving foreign adversaries can severely damage a company’s reputation. Clients and partners may lose trust in the organization’s ability to safeguard sensitive information..

4.    Increased Cybersecurity Risks

Impact: If unauthorized software or malware is installed on corporate systems through rerouted laptops or personal devices, it can open new attack vectors, creating opportunities for larger-scale cyberattacks, including ransomware or advanced persistent threats (APTs).

5.    Supply Chain Risk

Impact: North Korean contractors may attempt to inject malicious code into the software supply chain, compromising software development tools, build environments, and continuous integration/continuous deployment (CI/CD) pipelines.

IOCs(Indicators of Compromise)

1.      VPN and Proxy Usage

• Indicators:
  • Consistent use of VPN services or anonymization tools like TOR to mask the geographic location of the contractor.
  • VPN connections established from IP addresses or regions that are inconsistent with the contractor’s claimed location.
  • Use of IP addresses linked to suspicious or known malicious activities.
• Relevance: Contractors often use VPNs or proxies to hide their true locations, making it harder to identify that they are operating from countries like China or Russia.

2.       Avoidance of Video or In-Person Verification

• Indicators:
  • Contractors who consistently avoid participating in video calls or in-person verification, citing technical issues or other excuses.
  • Hiring process anomalies where identity verification (such as passports or IDs) is delayed or omitted altogether.
  • Contractors repeatedly claiming that their video equipment is faulty or unavailable during critical meetings.
• Relevance: Avoiding video verification is a known tactic used by North Korean IT workers to conceal their true identity.

3.       Use of Unauthorized Software or Tools

• Indicators:
  • Detection of unauthorized or unusual software installed on corporate devices or servers, particularly remote desktop software, file transfer applications, or malware that allows data exfiltration.
  • Attempts to disable or bypass endpoint protection or monitoring software on corporate devices.
  • Upload of malicious files to shared drives or the introduction of malware into development environments.
• Relevance: Fraudulent contractors may install unauthorized tools to maintain persistent access or exfiltrate sensitive data.

4.       Network Traffic Anomalies

• Indicators:
  • Unusually large volumes of outbound network traffic from contractor devices, especially when sending data to external servers.
  • Network connections to IP addresses associated with known malicious actors or located in regions commonly linked to North Korean activity.
  • Unexplained spikes in data exfiltration or uploads to external cloud storage services.
• Relevance: Data exfiltration by North Korean contractors is often preceded by anomalous network activity as they transfer stolen data to external servers.

5.       Suspicious Identity Documentation

• Indicators:
  • Inconsistent or poorly forged identity documents during the hiring process, such as fake or stolen identities being used.
  • Identity information that does not match common background check services or displays unusual discrepancies.
  • Stolen identities of legitimate U.S. residents or individuals whose data may have been compromised elsewhere.
• Relevance: North Korean IT workers commonly use stolen or falsified identities to secure employment and access corporate networks.

RECOMMENDATIONS:

1. Regular Monitoring and Auditing

• Action: Implement continuous monitoring of user activity, access logs, and network traffic to detect any suspicious behavior or anomalies.
• Benefit: Facilitates the early detection of insider threats and unauthorized access attempts, allowing for quick response.
  2. Robust Identity and Access Management (IAM)
• Action: Utilize IAM solutions to enforce strong authentication methods, such as multi-factor authentication (MFA), for all users accessing corporate resources.
• Benefit: Strengthens security by ensuring that only authorized users can access sensitive systems, reducing the risk of compromised accounts.
  3. Vulnerability Assessments and Penetration Testing
• Action: Conduct regular vulnerability assessments and penetration tests to identify weaknesses in security protocols, systems, and configurations.
• Benefit: Helps uncover potential vulnerabilities that could be exploited by insiders or external actors, enabling timely remediation.
  4. Incident Response Planning
• Action: Develop and regularly update an incident response plan that outlines procedures for responding to data breaches, insider threats, and extortion attempts.
• Benefit: Ensures that the organization is prepared to respond quickly and effectively to minimize damage and recover from incidents.
  5. Employee Training and Awareness
• Action: Provide ongoing security awareness training to employees about recognizing social engineering tactics, phishing attempts, and insider threat indicators.
• Benefit: Increases overall security posture by empowering employees to identify and report suspicious behavior.