The individuals involved in North Korean fake IT worker schemes are extorting the organizations that employ them and are increasingly aggressive in their tactics, fresh warnings from the FBI and Mandiant show.

According to the FBI, in addition to extorting US organizations that were deceived into hiring them, the North Korean IT workers have been infiltrating corporate networks to steal sensitive data, facilitate cybercrime, and conduct other activities that generate revenue for the Pyongyang regime.

“After being discovered on company networks, North Korean IT workers have extorted victims by holding stolen proprietary data and code hostage until the companies meet ransom demands. In some instances, North Korean IT workers have publicly released victim companies’ proprietary code,” the FBI says.

The agency warns that these workers have been observed copying organizations’ code repositories, posing a risk of code theft, and could attempt to harvest company credentials and session cookies for further compromise.

This evolution in tactics was first observed in mid-2024, with some individuals demanding six-figure ransom payments from their former employers to prevent the publication of stolen data.

According to Michael Barnhart, principal analyst at Google Cloud-owned Mandiant, the North Korean IT workers are increasing the aggression in response to a wave of indictments and sanctions against them, and increased media coverage, which have impacted the success of their schemes.

“An unfortunate byproduct of law enforcement action is these threat actors are becoming noticeably more aggressive in their tactics. We are increasingly seeing North Korean IT workers infiltrating larger organizations to steal sensitive data and follow through on their extortion threats against these enterprises,” Barnhart told SecurityWeek in an emailed comment.

“It’s also unsurprising to see them expanding their operations into Europe to replicate their success, as it’s easier to entrap citizens who aren’t familiar with their ploy,” Barnhart said.

He also warns that companies using virtual desktop infrastructure (VDI) for remote workers instead of physical laptops are more facile targets to North Korean IT workers, as VDI makes it easier for them to hide their malicious activity.

“As a result, North Korean IT workers are turning a company’s short-term savings into long-term security risks and financial losses, so it’s imperative for more businesses to pay attention to these operations,” Barnhart said.

To stay protected, businesses are advised to adhere to the principle of least privilege on their networks, monitor and investigate unusual traffic, monitor network logs and browser session activity, and monitor endpoints for software supporting multiple simultaneous audio/video calls.

Furthermore, companies should implement identity-verification processes when hiring and onboarding new employees, educate their staff regarding North Korean IT worker schemes, review applicants’ communication accounts, and use robust hiring practices, including conducting much of the hiring and onboarding in person.

The warning comes just as the US announced charges against five individuals involved in a fake IT worker scheme, including North Korean, American and Mexican nationals.

Related: Fake IT Workers Funneled Millions to North Korea, DOJ Says

Related: Mandiant Offers Clues to Spotting and Stopping North Korean Fake IT Workers

Related: Official Says Puerto Rico’s Senate Targeted by Cyberattack

Related: Study Finds New Employees Immediately Given Access to Millions of Files