Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
How a fake resume led to data leaks and blackmail.
According to a new report from Secureworks, North Korean government employees secretly hired by IT workers in the US, UK, and Australia have started blackmailing companies by gaining access to their internal data.
Experts have identified several technical and behavioral signs inherent in such schemes. In some cases, fraudsters after employment (under fake documents), having gained access to internal systems, began to extort money from employers. One of the incidents occurred in mid-2024, when a new employee stole confidential data immediately after starting work. Such attacks are reminiscent of the actions of the NICKEL TAPESTRY group, which previously used IT fraudsters to finance the North Korean military program.
After employment (under fake documents), fraudsters began to demand ransom from former employers, using stolen data. In one case, a new employee managed to copy confidential data immediately after starting work in mid-2024. The fraudster transferred corporate data to his Google Drive using VDI. IP addresses from the Astrill VPN network and proxy servers were used for masking.
After being fired due to unsatisfactory results, the company received a series of ransom letters in cryptocurrency to avoid the publication of documents. The letters were accompanied by archives confirming the fact of data theft. In another message, sent from another email service, the fraudster provided additional evidence of information theft, showing the seriousness of intentions.
Secureworks notes that the incident confirms the expansion of the North Korean operation: in addition to extortion and data leakage, now the goal is to obtain intellectual property for financial gain.
One common technique was to change the delivery address of corporate laptops to fake locations known as laptop farms. In some cases, scammers preferred to use personal devices instead of business devices or connect via virtual desktops (VDI), which made it possible to hide their location and make it difficult to investigate incidents.
The attackers also used AnyDesk and Chrome Remote Desktop for remote access, which was not in line with their job duties. Analysis of the connections showed that these programs were configured to work through Astrill VPN, which indicates that they belong to the NICKEL TAPESTRY tools.
Also, North Korean specialists actively avoid video calls, but recently they have begun to use SplitCam software, which helps hide identities in video conferences by simultaneously participating in several calls from one webcam. Secureworks suggests that the use of such tools demonstrates an attempt to adapt to the demands of companies to enable video communications.
The financial behavior of the scammers was also suspicious. They often changed bank accounts to receive their paychecks, using digital payment services such as Payoneer to circumvent traditional banking systems. Such financial manipulation is one of the features of NICKEL TAPESTRY schemes.
Investigations showed that fraudsters sometimes got jobs in the same company in groups. They recommended each other for positions and acted under different personalities. In some cases, one person used several accounts, adjusting the writing style to different roles to create the appearance of different employees.
The move to extorting ransom was a new stage in NICKEL TAPESTRY's tactics. These actions change the risk for companies, as fraudsters now not only receive salaries, but also threaten to publish stolen data. Organizations hiring remote IT professionals should be especially attentive to candidates who exhibit the following traits:
Source
According to a new report from Secureworks, North Korean government employees secretly hired by IT workers in the US, UK, and Australia have started blackmailing companies by gaining access to their internal data.
Experts have identified several technical and behavioral signs inherent in such schemes. In some cases, fraudsters after employment (under fake documents), having gained access to internal systems, began to extort money from employers. One of the incidents occurred in mid-2024, when a new employee stole confidential data immediately after starting work. Such attacks are reminiscent of the actions of the NICKEL TAPESTRY group, which previously used IT fraudsters to finance the North Korean military program.
After employment (under fake documents), fraudsters began to demand ransom from former employers, using stolen data. In one case, a new employee managed to copy confidential data immediately after starting work in mid-2024. The fraudster transferred corporate data to his Google Drive using VDI. IP addresses from the Astrill VPN network and proxy servers were used for masking.
After being fired due to unsatisfactory results, the company received a series of ransom letters in cryptocurrency to avoid the publication of documents. The letters were accompanied by archives confirming the fact of data theft. In another message, sent from another email service, the fraudster provided additional evidence of information theft, showing the seriousness of intentions.
Secureworks notes that the incident confirms the expansion of the North Korean operation: in addition to extortion and data leakage, now the goal is to obtain intellectual property for financial gain.
One common technique was to change the delivery address of corporate laptops to fake locations known as laptop farms. In some cases, scammers preferred to use personal devices instead of business devices or connect via virtual desktops (VDI), which made it possible to hide their location and make it difficult to investigate incidents.
The attackers also used AnyDesk and Chrome Remote Desktop for remote access, which was not in line with their job duties. Analysis of the connections showed that these programs were configured to work through Astrill VPN, which indicates that they belong to the NICKEL TAPESTRY tools.
Also, North Korean specialists actively avoid video calls, but recently they have begun to use SplitCam software, which helps hide identities in video conferences by simultaneously participating in several calls from one webcam. Secureworks suggests that the use of such tools demonstrates an attempt to adapt to the demands of companies to enable video communications.
The financial behavior of the scammers was also suspicious. They often changed bank accounts to receive their paychecks, using digital payment services such as Payoneer to circumvent traditional banking systems. Such financial manipulation is one of the features of NICKEL TAPESTRY schemes.
Investigations showed that fraudsters sometimes got jobs in the same company in groups. They recommended each other for positions and acted under different personalities. In some cases, one person used several accounts, adjusting the writing style to different roles to create the appearance of different employees.
The move to extorting ransom was a new stage in NICKEL TAPESTRY's tactics. These actions change the risk for companies, as fraudsters now not only receive salaries, but also threaten to publish stolen data. Organizations hiring remote IT professionals should be especially attentive to candidates who exhibit the following traits:
- Get a job as full-stack developers;
- Indicate 8-10 years of experience and 3-4 previous employers;
- Demonstrate a beginner or intermediate level of English proficiency;
- Use a resume with elements that are repeated in other candidates;
- Refuse to turn on the camera during interviews or use virtual backgrounds;
- They sound like they are talking from a call center;
- Change delivery addresses and bank details during the hiring process.
Source
