North Korean hackers expand remote IT worker scam beyond US firms

The North Korean IT worker scam operation has expanded to a global scale, even as U.S. authorities crack down on sanctioned threat actors.

Researchers with Microsoft said that fraudsters operating on behalf of the Hermit Kingdom have started targeting organizations outside of the United States.

According to Microsoft, North Korean threat actors operating domestically and out of branch offices in Russia and China have been using AI image manipulation and social-engineering tactics to apply for outsourced IT support positions with third-party companies.

The payment from those roles then goes back to the North Korean government, effectively allowing the regime to skirt international financial sanctions.

What was once an effort focused on organizations in the U.S. has now gone international, according to Microsoft.

“Historically, North Korea’s fraudulent remote worker scheme has focused on targeting United States (US) companies in the technology, critical manufacturing, and transportation sectors,” Microsoft Threat Intelligence reported.

“However, we’ve observed North Korean remote workers evolving to broaden their scope to target various industries globally that offer technology-related roles.”

The threat actor known as “Jasper Sleet” or “Storm-0287” has been associated with more than 3,000 Microsoft accounts that have since been banned. The company has also reached out to affected organizations that may have been targeted.

Microsoft recommended that organizations take extra care during the hiring process to screen applicants and spot jobseekers who may be using AI image and resume manipulation tools to hide their malicious intentions.

That might be easier said than done, however. Even as the U.S. is working to spot and prosecute North Korean IT worker scams, the fraudsters are able to extort organizations for big bucks.

Reuters reported that four North Korean workers were arrested by the FBI on charges of wire fraud, conspiracy, and money laundering. It is alleged that the four men posed as IT workers and used stolen identities to collect paychecks from American companies.

Additionally, it is alleged that the scammers stole dozens of identities and withdrew some $900,000 worth of cryptocurrency before being caught. Cryptocurrency transactions are a favorite money laundering technique for North Korean threat actors as it skirts economic sanctions.

Jake Williams, vice president of R&D at Hunter Strategy and faculty member at IANS research, told SC Media that the attacks are nothing new and that organizations need to step up their game when it comes to screening new hires.

“It's not surprising that we're seeing North Korean threat actors continue to use identity theft as a tool for sanctions evasion,” Williams said.

“This underscores the need for organizations to engage in robust identity verification for new hires, including detailed background checks. Security teams need to be aware that if they see something odd, it needs to be investigated, doubly so for new hires and IT workers.”