October 18, 2024 at 10:48AM
North Korean IT workers are infiltrating Western companies under false identities, stealing intellectual property, and demanding ransoms, indicating a shift towards more aggressive tactics. Secureworks highlights evolving risks, advocating for rigorous recruitment checks and awareness regarding suspicious behaviors and financial activities to mitigate insider threats and data extortion.
### Meeting Takeaways: Insider Threat / Cyber Espionage
**Date:** October 18, 2024
**Presenter:** Ravie Lakshmanan
#### Key Points:
1. **New Tactics by North Korean IT Workers:**
– North Korean IT workers are infiltrating Western companies using false identities and are not only stealing intellectual property but also extorting their employers for ransom payments.
– This marks a new phase in their financially motivated attacks, with incidents of exfiltration occurring almost immediately after employment.
2. **Threat Group Association:**
– The fraudulent activities exhibit similarities to the threat group known as Nickel Tapestry (also called Famous Chollima and UNC5267).
3. **Operational Strategy:**
– These individuals are often deployed from China and Russia and may steal identities of legitimate U.S. residents.
– There are instances of contractors requesting changes to delivery addresses for company-issued laptops, rerouting them to intermediaries who install remote access software.
4. **Behavioral Patterns:**
– Contractors often ask to use personal laptops, disrupting normal company protocols, and potentially hindering forensic evidence gathering.
– Multiple fraudulent contractors can be hired by the same company, or one individual can adopt multiple identities.
5. **Evolution of Threat:**
– Evidence has shown that terminated contractors are now sending extortion emails with stolen data as leverage, significantly changing the risk profile of hiring North Korean IT workers.
– Previously focused solely on consistent income, these threats now involve aggressive data theft and extortion.
6. **Recommendations for Organizations:**
– Employers should enhance their recruitment vigilance by:
– Conducting meticulous identity checks.
– Implementing in-person or video interviews.
– Monitoring any attempts to reroute corporate equipment or change paycheck delivery systems.
– Keeping an eye out for unauthorized access to corporate networks.
7. **Conclusion:**
– The recent activities reflect an evolution in scheming tactics and necessitate heightened awareness in recruitment and IT security practices.
**Next Steps:**
– Consider adopting the recommended security measures in your organization’s hiring protocol to mitigate risks associated with insider threats.
**Follow-Up:**
– Keep abreast of further developments in cybersecurity threats through reputable sources such as Secureworks and government alerts.