North Korean information technology (IT) workers working for Western companies under false identities are not only stealing intellectual property, but demanding ransoms to keep it from leaking, marking a new twist in their financially motivated attacks.
“In some cases, fraudulent workers demanded ransom from their former employers after gaining access to insider information, a tactic not seen in previous schemes,” Secureworks Threat Unit (CTU) said in an analysis published this week. “In one case, a contractor stole proprietary data almost immediately after work began in mid-2024.”
The activity, the cybersecurity firm added, bears similarities to a threat group it tracks as Nickel Tapestry, also known as The famous Cholima and UNC5267.
The IT worker fraud scheme, organized to advance North Korea’s strategic and financial interests, refers to an insider threat operation that involves infiltrating companies in the West to generate illegal income for the sanctioned country.
These North Korean workers are usually sent to countries like China and Russia, from where they pose as freelancers looking for potential employment opportunities. Alternatively, they have been found to steal the identities of legal US residents to achieve the same goals.
They are also known to request shipping address changes for company-issued laptops, often redirecting them to resellers in laptop farmswho are compensated for their efforts by foreign intermediaries and are responsible for installing remote desktop software that allows North Korean actors to connect to computers.
Moreover, multiple contractors may end up being employed by the same company, or alternatively, one person may take on multiple individuals.
Secureworks said it has also seen cases of fake contractors requesting permission to use their personal laptops and even causing organizations to cancel a laptop shipment entirely because they changed the shipping address while it was in transit.
“This behavior is consistent with the Nickel Tapestry trade, which attempts to avoid corporate laptops, potentially eliminating the need for an in-country intermediary and limiting access to forensic evidence,” it said. “This tactic allows contractors to use their personal laptops to remotely access the organization’s network.”
In a sign that threat actors are evolving and taking their activities to the next level, evidence has emerged that a contractor who was fired by an unnamed company for poor work turned to sending extortion emails including ZIP attachments that contain evidence of data theft.
“This shift significantly changes the risk profile associated with inadvertently hiring North Korean IT workers,” said Rafe Pilling, Director of Threat Intelligence at Secureworks CTU. “They are no longer just after a stable salary, they are looking for higher sums, rather through data theft and extortion, from within the protection of the company.”
To combat the threat, organizations are urged to be vigilant in the hiring process, including conducting thorough background checks, conducting face-to-face or video interviews, and monitoring attempts to divert corporate IT equipment sent by contractors with a declared home address, sending checks to services money transfers and access to the corporate network by unauthorized means of remote access.
“This escalation and the behavior listed in the FBI alert demonstrate the sophisticated nature of these schemes,” Secureworks CTU said, pointing to the employees’ suspicious financial behavior and their attempts to avoid turning on video during calls.
“The emergence of buyback requirements marks a marked departure from previous Nickel Tapestry schemes. However, the activity observed prior to the extortion is consistent with previous schemes involving North Korean workers.”
