US Company Accidentally Hires North Korean For Remote Work, Gets Blackmailed When They Try To Fire Him

A major security breach occurred when a US company unknowingly hired a North Korean IT worker who, after being fired, stole sensitive data and demanded a ransom. The FBI has warned that thousands of North Korean hackers disguise themselves as legitimate remote workers in the US to siphon money back to their government.

While previous incidents involved data theft and espionage, this extortion attempt suggests a new, more brazen tactic.

North Korean Hacker Infiltrates US Company

Secureworks' Counter Threat Unit (CTU) uncovered a North Korean cyberattack targeting an unnamed US, UK, or Australian company. The company was hit with an extortion demand, prompting Secureworks to share details of the incident with Business Insider.

BBC News revealed that the company hired the North Korean technician as a contractor, unaware he had lied about his employment history and personal details.

Secureworks reported that the North Korean technician, working remotely, used company tools to infiltrate the network and download a substantial amount of sensitive data during his short tenure.

SecureWorks revealed that the North Korean technician was eventually terminated due to poor performance. Shortly afterwards, the company started receiving emails containing stolen data as evidence of a cyberattack.

The company was blackmailed with a demand for a six-figure ransom in cryptocurrency if they wanted to prevent the stolen data from being leaked online or sold on the dark web. SecureWorks stated that due to international sanctions on North Korea, many companies would be prevented from paying the ransom demanded by the hackers. However, it declined to comment on the specifics of this particular case.

The company revealed that the salaries earned by North Korean hackers posing as legitimate remote workers aim to circumvent international sanctions and generate revenue for the North Korean government.

The Growing Threat Of North Korean Cyberattacks

In 2023, FBI officials warned that these funds were being diverted to support the country's weapons programs. According to Rafe Pilling, director of threat intelligence at SecureWorks' CTU, this incident represented a minor departure from the usual tactics employed by North Korean hackers.

"No longer are they just after a steady paycheck," he told BI in a written statement. "They are looking for higher sums, more quickly, through data theft and extortion, from inside the company defences." He advised companies to exercise caution and be wary of individuals who may be trying to infiltrate their organisations under false pretences.

Secureworks' CTU recommended that companies implement rigorous identity verification procedures, conduct face-to-face or video interviews, and be vigilant for suspicious requests, such as efforts to redirect corporate IT equipment to a purported home address.

In a recent LinkedIn post, Charles Carmakal, chief technology officer of cybersecurity firm Mandiant Consulting, warned that North Korean IT workers were increasingly infiltrating the US economy, with dozens of Fortune 100 companies falling victim to their attacks.

Mandiant investigations, led by Carmakal, revealed that North Korea was employing a team of US-based facilitators to obtain company laptops from US employers and run laptop farms from their homes.

He further revealed that the North Korean-backed facilitators would install Remote Monitoring and Management software on the company laptops, allowing North Korean hackers to connect to the systems remotely.

The Need For Increased Cybersecurity Measures

In May, 49-year-old Arizona woman Christina Marie Chapman was arrested for allegedly helping North Koreans secure remote US jobs in Fortune 500 companies and launder the earnings back to their government. She faces nine charges, including conspiracy to defraud the United States.

In an April indictment, prosecutors revealed that the North Korean workers used IP addresses to disguise their location and make it seem like they were working from the facilitator's house within the US. A Ukrainian man was also indicted for operating "laptop farms" that were used by North Korean workers.

Jake Moore, a global cybersecurity advisor for cybersecurity software firm ESET, states, "Insider threats are still a major concern for businesses but especially for organisations that are targeted with nation-state threats."

Moore emphasised that rigorous vetting and background checks are often the only way to prevent unauthorised access to sensitive company data. While these processes can be time-consuming, they are important.

"Giving away the keys to the castle from within has always been high risk but with prevailing international threats, new measures in improved vetting employees must be taken," he said.