Hundreds of companies in the US, UK, and Australia have fallen victim to the North Korean fake IT worker schemes, and some of them received ransom demands after the intruders gained insider access, Secureworks reports.

Using stolen or falsified identities, these individuals apply for jobs at legitimate companies and, if hired, use their access to steal data and gain insight into the organization’s infrastructure.

More than 300 businesses are believed to have fallen victim to the scheme, including cybersecurity firm KnowBe4, and Arizona resident Christina Marie Chapman was indicted in May for her alleged role in assisting North Korean fake IT workers with getting jobs in the US.

According to a recent Mandiant report, the scheme Chapman was part of generated at least $6.8 million in revenue between 2020 and 2023, funds likely meant to fuel North Korea’s nuclear and ballistic missile programs.

The activity, tracked as UNC5267 and Nickel Tapestry, typically relies on fraudulent workers to generate the revenue, but Secureworks has observed an evolution in the threat actors’ tactics, which now include extortion.

“In some instances, fraudulent workers demanded ransom payments from their former employers after gaining insider access, a tactic not observed in earlier schemes. In one case, a contractor exfiltrated proprietary data almost immediately after starting employment in mid-2024,” Secureworks says.

After terminating a contractor’s employment, one organization received a six-figures ransom demand in cryptocurrency to prevent the publication of data that had been stolen from its environment. The perpetrators provided proof of theft.

The observed tactics, techniques, and procedures (TTPs) in these attacks align with those previously associated with Nickel Tapestry, such as requesting changes to delivery addresses for corporate laptops, avoiding video calls, requesting permission to use a personal laptop, showing preference for a virtual desktop infrastructure (VDI) setup, and updating bank account information often in a short timeframe.

The threat actor was also seen accessing corporate data from IPs associated with the Astrill VPN, using Chrome Remote Desktop and AnyDesk for remote access to corporate systems, and using the free SplitCam software to hide the fraudulent worker’s identity and location while accommodating with a company’s demand to enable video on calls.

Secureworks also identified connections between fraudulent contractors employed by the same company, discovered that the same individual would adopt multiple personas in some cases, and that, in others, multiple individuals corresponded using the same email address.

“In many fraudulent worker schemes, the threat actors demonstrate a financial motivation by maintaining employment and collecting a paycheck. However, the extortion incident reveals that Nickel Tapestry has expanded its operations to include theft of intellectual property with the potential for additional monetary gain through extortion,” Secureworks notes.

Typical North Korean fake IT workers apply for full stack developer jobs, claim close to 10 years of experience, list at least three previous employers in their resumes, show novice to intermediate English skills, submit resumes seemingly cloning those of other candidates, are active at times unusual for their claimed location, find excuses to not enable video during calls, and sound as if speaking from a call center.

When looking to hire individuals for fully remote IT positions, organizations should be wary of candidates who demonstrate a combination of multiple such characteristics, who request a change in address during the onboarding process, and who request that paychecks be routed to money transfer services.

Organizations should “thoroughly verify candidates’ identities by checking documentation for consistency, including their name, nationality, contact details, and work history. Conducting in-person or video interviews and monitoring for suspicious activity (e.g., long speaking breaks) during video calls can reveal potential fraud,” Secureworks notes.

Related: Mandiant Offers Clues to Spotting and Stopping North Korean Fake IT Workers

Related: North Korea Hackers Linked to Breach of German Missile Manufacturer

Related: US Government Says North Korean IT Workers Enable DPRK Hacking Operations

Related: Companies Using Zeplin Platform Targeted by Korean Hackers