Full Report
A new FBI advisory warned that North Korean IT worker schemes have escalated their activities in recent months to include data extortion
Analysis Summary
# Threat Actor: North Korean IT Worker Schemes (State-Sponsored Revenue Generation)
## Attribution & Identity
**Attribution:** Democratic People's Republic of Korea (DPRK) / North Korea.
**Aliases/Associations:** Referenced generally as North Korean IT workers participating in state-sponsored schemes. These schemes often involve using stolen or forged identities (including US-based ones) to secure remote employment.
## Activity Summary
The core activity involves securing remote employment in US, European, and East Asian organizations to generate revenue for the DPRK government. Recent escalation focuses on using this employment access to conduct data extortion. Workers exfiltrate proprietary code, data, and credentials from their employers, holding the data hostage for ransom. If ransoms are refused, the data has been publicly released. Specific recent incidents involve KnowBe4 being duped into hiring a fake worker, and Secureworks observing contractors exfiltrating data immediately post-hiring for ransom. The FBI estimates that from April 2018 through August 2024, operatives obtained work from at least 64 US companies.
## Tactics, Techniques & Procedures
- **Identity Fraud/Forger:** Using stolen and forged identity documents (including valid US-based identities) to secure legitimate freelance contracts and circumvent sanctions.
- **Remote Work Exploitation:** Leveraging the shift to remote work to obfuscate identity and gain employment access.
- **Credential Harvesting:** Attempting to harvest sensitive company credentials and session cookies.
- **Data Exfiltration & Extortion:** Copying sensitive data, including company code repositories (e.g., GitHub), to personal cloud accounts or the worker's own profiles.
- **Insider Threat Activity:** Using privileged access obtained through employment to facilitate malicious intrusions and theft.
- **Persistence:** Maintaining employment access to conduct long-term data gathering.
- **Identity Obfuscation:** May utilize AI and deepfake tools during the hiring process.
## Targeting
**Sectors:** Not explicitly limited, but targets include US organizations across various sectors given the large number of employed workers. Specific industries affected by general IT worker schemes span technology and related fields utilizing remote contracting.
**Geography:** Primary targets are organizations based in the US, Europe, and East Asia.
**Victims:** At least 64 US companies targeted between 2018 and 2024. KnowBe4 was specifically mentioned as a victim entity that hired a fake IT worker.
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly named, though the TTPs imply capabilities for data scraping and exfiltration tools inherent to their insider access.
- **Infrastructure:**
- Laundering payments via Chinese bank accounts.
- Reusing phone numbers and email addresses across multiple fraudulent resumes.
- Leveraging cloud accounts (e.g., GitHub) for data staging/exfiltration.
- Communication accounts associated with fake identities.
## Implications
This activity poses a significant **supply chain risk** by embedding operatives directly into target organizations under the guise of legitimate contractors. The primary strategic implication is the state-sponsored generation of hard currency for the DPRK through cyber extortion and data theft, bypassing typical sanctions. The evolution toward organized data extortion increases financial damages and intellectual property loss for victims.
## Mitigations
- **Enhanced Identity Verification:** Implement rigorous identity-verification processes during interviewing, onboarding, and throughout the tenure of any remote worker.
- **AI/Deepfake Awareness:** Educate hiring staff on recognizing potential deepfake or AI-generated identities.
- **Resume & Contact Cross-Checking:** Cross-check HR systems for identical resume content or shared contact information among different applicants.
- **Onboarding Monitoring:** Scrutinize changes in address or payment platforms during the onboarding process.
- **In-Person Processing:** Complete as much of the hiring and onboarding process in person where feasible.
- **Data Monitoring:** Employ extensive data monitoring practices focused on privileged users, specifically watching for unusual network traffic, log anomalies, and browser session activity indicative of data exfiltration.