A company was hacked after it hired a North Korean cyber criminal posing as an IT contractor.
The unnamed company fell victim to a new North Korean hacking tactic, according to cybersecurity company Secureworks, which investigated the incident.
A North Korean cyber criminal posing as an IT contractor was hired for a fixed-term contract by the firm, which is based either in the UK, US or Australia.
Secureworks is keeping the company’s location general in order to protect the company.
Within days of starting work, the criminal “accessed and exfiltrated company data”, according to Rafe Pilling, who is the director of threat intelligence at Secureworks.
Then, when the employment contract was finished, the criminal used the hacked data “to demand a hefty ransom in return for not publishing” it, said Mr Pilling.
This is a new tactic for the North Korean regime, which was already trying to sneak its workers into UK companies.
“It is almost certain that UK firms are currently being targeted by [North Korean] IT workers disguised as freelance third-country IT workers to generate revenue for the DPRK regime,” said an advisory note published by the government’s Office of Financial Sanctions Implementation (OFSI) last month.
UK companies that hire these workers could be breaching the “significant” sanctions currently placed on North Korea, according to OFSI.
Although it is thought those workers’ salaries were being used to fund the North Korean regime, this latest incident, and others like it, mark “a serious escalation” of risk for companies, said Mr Pilling.
“No longer are [the fake workers] just after a steady paycheck, they are looking for higher sums, more quickly, through data theft and extortion, from inside the company defences,” he said.
UK companies should protect themselves from these kinds of attacks by being on “high alert”, he said.
OFSI published a list of tell-tale signs that a new contractor is not who they say they are and is, in fact, an agent for the North Korean government.
Some of those include being inconsistent with the spelling of their name, their nationality, location, experience and online presence or refusing to appear on camera.
Mr Pilling said companies should monitor for long pauses if they do appear on camera for job interviews and OFSI warns that people who request prepayment but then fail to complete tasks, or just generally fail to do the job, could also be suspicious.
Attempts to re-route corporate IT equipment sent to the contractor’s home, routing paychecks to money transfer services and accessing the corporate network with unauthorised remote access tools should also be red flags.
