{"id":921,"date":"2024-11-21T09:01:00","date_gmt":"2024-11-21T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=921"},"modified":"2024-11-21T09:01:00","modified_gmt":"2024-11-21T09:01:00","slug":"north-korean-fake-it-workers-up-the-ante-in-targeting-tech-firms","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=921","title":{"rendered":"North Korean fake IT workers up the ante in targeting tech firms"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

North Korean fake IT worker scams are evolving to incorporate theft and extortion as more examples of targeting against technology and other companies emerge.<\/p>\n

The deception typically features North Korean operatives posing as legitimate IT professionals in attempts to gain employment at Western firms, almost always for positions that offer remote working options.<\/p>\n

Once hired, these \u201cremote workers\u201d exploit their insider access to carry out reconnaissance against a firm\u2019s infrastructure and steal sensitive information while collecting a salary that is funnelled back to the North Korean regime.<\/p>\n

Faking IT<\/h2>\n

In one recent case, a candidate that security firm Exabeam was considering for an open position displayed enough technical knowledge to get past an initial interview with human resources staff. Even during this initial interview, recruiters flagged the responses from the candidate as \u201csomewhat scripted.\u201d Soon, during interviews with department heads, the wheels would begin to fall off.<\/p>\n

The online interview for the full-time senior governance, risk, and compliance analyst position with Jodi Maas, GRC team lead, and Exabeam CISO Kevin Kirkwood was \u201codd\u201d from the start.<\/p>\n

\u201cHer eyes weren\u2019t moving, the lips weren\u2019t in sync, and the voice was mechanical,\u201d Kirkwood told CSO. \u201cIt was like something from a 1970s Japanese Godzilla movie.\u201d<\/p>\n

Kirkwood and his colleague quickly concluded that they were interviewing a candidate using deepfake video technology. Delays in replies, and the mechanical nature of responses, suggested that the job candidate was attempting to use voice translation technology in responding to questions.<\/p>\n

\u201cThis was easy to detect, but the technology is going to improve and we\u2019re going to get more challenging deepfakes in future,\u201d Kirkwood warned.<\/p>\n

Created using deep learning AI, deepfake images, video, and audio are viewed by cybercriminals as a new, powerful tool<\/a> for use in social engineering and extortion campaigns. According to a recent survey from Deloitte, cybercriminals are already targeting more than a quarter<\/a> of all companies, with a focus on financial data.<\/p>\n

After the interview, Maas and Kirkwood worked with their HR colleagues to revamp Exabeam\u2019s recruitment process to introduce even more stringent safeguards, including an insistence on video interviews for remote job applicant candidates, and additional staff training.<\/p>\n

Potential employers are urged to verify candidates\u2019 identities and documentation, and to be wary about suspicious activity during video calls. During the process of onboarding new recruits companies should be especially wary about the unauthorized use of remote access and VPN tools.<\/p>\n

More than 300 businesses are believed to have fallen victim to the fake worker IT scam that is estimated to have generated millions in revenue for the North Korean regime. In August, EDR vendor CrowdStrike released a report on how one North Korean group infiltrated over 100 companies<\/a> through impersonation campaigns.<\/p>\n

DPRK [North Korean] IT workers can individually earn more than $300,000 a year in some cases, and teams of IT workers can collectively earn more than $3 million annually, the US Department of State, US Treasury, and FBI warned in a joint advisory<\/a> in May 2022.<\/p>\n

Security awareness vendor KnowBe4 inadvertently hired a North Korean IT worker who unsuccessfully attempted to breach its network. KnowBe4 went public with its experiences in a blog post that offer a detailed look at how the scam works in practice<\/a>.<\/p>\n

More background on the fake worker IT scam \u2014 alongside tips on its detection \u2014 can be found in CSO\u2019s August 2024 feature \u201cHow not to hire a North Korean IT spy<\/a>.\u201d<\/p>\n

Extortion enters the mix<\/h2>\n

In a new twist on the fraudulent North Korean IT worker scam. Miscreants have added extortion based on the theft of proprietary data to their playbook.<\/p>\n

Cybersecurity incident response firm Secureworks reports<\/a> a case in which a contractor exfiltrated proprietary information from an unnamed company almost immediate after their employment began in mid-2024.<\/p>\n

Poor performance meant that the worker was fired after four months but just days later the company received a series of emails, including zip archive files containing proof of purloined intellectual property, alongside extortionate demands to pay a six-figure sum in cryptocurrency to avoid the publication of the sensitive stolen information.<\/p>\n

It\u2019s unclear if the victim complied with this extortionate demand.<\/p>\n

Secureworks reports that it has investigated several similar incidents involving North Korean IT workers making extortionate demands after \u201cgaining insider access, a tactic not observed in earlier schemes.\u201d<\/p>\n

North Korea is targeting companies in North America, Europe, and Australia as part of its ongoing and evolving scam, prompting warnings from the UK government<\/a> and others.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

North Korean fake IT worker scams are evolving to incorporate theft and extortion as more examples of targeting against technology and other companies emerge. The deception typically features North Korean operatives posing as legitimate IT professionals in attempts to gain employment at Western firms, almost always for positions that offer remote working options. Once hired, […]<\/p>\n","protected":false},"author":0,"featured_media":922,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-921","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/921"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=921"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/921\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/922"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}