Pyongyang on the payroll? Signs that your company has hired a North Korean IT worker

If your remote employee insists on using their own devices, won’t show up on webcam and frequently changes their payment services, you may have accidentally hired a North Korean operative.

Those are some of the tactics wielded by the actors behind what Secureworks refers to as Nickel Tapestry, a group known for planting fake IT workers at Western commercial companies to raise money for North Korea’s nuclear weapons programs, according to new research from Secureworks.

Based on numerous incident response engagements, the findings detail a range of tactics used by the group to infiltrate companies in the U.S., U.K. and Australia on behalf of North Korea, often for profit. While the identities of the impacted firms were withheld, the research reveals common behaviors and techniques that could help cybersecurity professionals sniff out possible imposter employees.

Most of the time, the primary objective behind these schemes was simply drawing a salary for as long as possible, money that federal authorities and other experts say usually goes directly to funding North Korea’s nuclear weapons program. But Secureworks said these employments sometimes morphed into broader efforts to thieve intellectual property data or extort the companies for larger payments.

In one instance, a hired worker used their employer’s virtual desktop infrastructure to access and steal proprietary data. When they were eventually fired for poor performance, they attempted to ransom the stolen data back to the company for hundreds of thousands of dollars in cryptocurrency.

Secureworks also observed the group taking extensive efforts to avoid using corporate laptops, while obfuscating their real location. In some cases, the workers requested permission to use their own personal laptops or virtual desktop infrastructure. Others would simply change the delivery address to send their work device to a laptop farm masked with a U.S. IP address, a technique that was also highlighted in an FBI advisory released last year.

When they were forced to use corporate work devices, the plants would often cite technical issues to avoid showing up on webcams for work meetings. There is also evidence that some used virtual video-cloning software and other tools.

“Based on these observations, it is highly likely that the threat group is experimenting with various methods for accommodating companies’ requests to enable video on calls,” Secureworks’ counter threat unit research team wrote.

The group also created entire fake networks of employees and companies to provide operatives with work references, redirect payments and, in at least one case, replace other operatives once they were fired or left a company. Oftentimes these operatives use similar email and resume formats, or display multiple writing styles, indicating that each persona may have more than one operative behind it.

To sidestep detection by banks, these workers would sometimes rapidly update their bank accounts or use digital payment services like Payoneer. CyberScoop has reached out to Payoneer’s press office for comment.

Other common behaviors associated with campaign operatives  were listing between 8-10 years of work experience, communicating at odd times of day that don’t match their listed location or time zone, demonstrating novice or intermediate English skills and sounding like “they are speaking from a call center environment.”

While each behavior is typically harmless and common among global remote IT workers, when combined, they might suggest a company has unknowingly hired a North Korean agent.

Due to international sanctions limiting traditional business avenues, North Korea increasingly uses cybercrime and operations like Nickel Tapestry to fund its military and weapons programs.

In 2022, the FBI, Treasury Department and State Department put out a public warning calling North Korea’s IT worker infiltration program “a critical stream of revenue” for the regime. Employees placed at Western firms — who are actually based in China or Russia — are able to make as much as $300,000 a year, and often make 10 times the income they would earn as an average factory or construction worker inside North Korea.

North Korean leader Kim Jong Un has heavily invested in IT infrastructure inside the country, which is used to foster the skill sets needed to obtain  employment overseas, including establishing rigorous IT degree programs within North Korea and training at regional IT research centers abroad. 

Cybersecurity experts believe the practice is more widespread than the public understands. Researchers at Mandiant and Google Cloud said last month that these workers often have multiple jobs with different organizations and maintain high-level access to production systems and source code, potentially enabling future cyberattacks on company infrastructure.

“I’ve spoken to dozens of Fortune 100 organizations that have accidentally hired North Korean IT workers,” Charles Carmakal, the firm’s chief technology officer, said in a statement last month.