North Korean IT workers masquerading as remote workers have been breaking into Western companies, stealing confidential source codes, and requesting ransoms to prevent their release.
This emerging threat, flagged by the Federal Bureau of Investigation (FBI), underscores the evolving tactics of North Korea’s cyber operations aimed at generating revenue for the regime while evading international sanctions.
North Korean IT workers, often referred to as “IT warriors,” use fraudulent identities to secure remote jobs in software development and IT roles.
They exploit vulnerabilities in hiring processes, leveraging stolen identities, AI-enhanced credentials, and sophisticated social engineering techniques.
Stealing Source Code For Extortion
Once employed, these operatives gain access to proprietary systems and exfiltrate sensitive data, including source code repositories hosted on platforms like GitHub.
The stolen data is then weaponized in extortion schemes. In many cases, these operatives demand cryptocurrency payments in exchange for not leaking the stolen source codes or other intellectual property.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
This new wave of attacks combines elements of ransomware with insider threats. These North Korean operatives take unencrypted source codes directly, in contrast to conventional ransomware that encrypts files and requests payment for the decryption keys.
This tactic provides leverage for extortion without requiring malware deployment. The FBI has noted that these IT workers often copy entire code repositories to personal cloud accounts or external devices, putting companies at significant risk.
“After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands,” said the FBI.
“North Korean IT workers have copied company code repositories, such as GitHub, to their own user profiles and personal cloud accounts”.
Furthermore, North Korean IT personnel may attempt to obtain confidential information and session cookies to start working from devices that the organization does not own and to find further ways to compromise.
The financial implications are severe. Over the past six years, North Korea’s IT fraud schemes have reportedly generated at least $88 million in revenue through salaries and extortion payments.
Moreover, the theft of source codes poses a strategic threat. Proprietary software represents years of investment and innovation. Its theft can lead to counterfeit products, exploitation of vulnerabilities, and loss of competitive advantage.
Organizations are advised to monitor for several red flags associated with these schemes:
- Unusual Network Activity: Multiple logins from different IP addresses within short timeframes or unauthorized access to private code repositories.
- Suspicious Hiring Patterns: Applicants using identical resumes or contact details across multiple job applications.
- Behavioral Anomalies: Employees rerouting corporate equipment or avoiding video calls during onboarding processes
Recommendations
To counter this threat, the FBI recommends implementing robust security protocols:
- Principle of Least Privilege: Limit access to sensitive systems and disable unnecessary administrative accounts.
- Enhanced Hiring Practices: Conduct thorough identity verification during interviews and onboarding. Use video interviews to confirm applicants’ identities.
- Data Loss Prevention (DLP) Tools: Employ advanced DLP solutions capable of identifying source code leakage through methods like N-gram-based text categorization.
- Network Monitoring: Regularly audit network logs for signs of unauthorized data exfiltration or unusual remote desktop activity.
The threat posed by North Korean IT operatives highlights the need for heightened vigilance in cybersecurity and hiring practices.
As these schemes evolve, businesses must adopt proactive measures to safeguard their intellectual property and mitigate risks associated with insider threats.
The FBI urges organizations that suspect infiltration by North Korean IT workers to report incidents promptly via its Internet Crime Complaint Center (IC3).
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar