Western firm hacked by North Korean cybercriminal hired as remote IT worker

Breach discovered only after the company terminated employment over performance issues

A western company has fallen victim to a severe hacking incident after mistakenly hiring a North Korean cybercriminal as a remote IT contractor.

The unidentified firm, based in either the UK, US, or Australia, fell victim to the sophisticated deception, leading to the theft of sensitive company data.

According to the BBC, a Korean individual under the guise of a freelance IT specialist, falsified key details about their background and employment history, successfully securing the job in the summer of 2023.

The hacker then used company tools to gain access to sensitive corporate systems, all while maintaining the appearance of a diligent contractor. The cybercriminal exploited the firm's remote working infrastructure, secretly siphoning off critical data over a four-month period.

During this time, the malicious activities of the contractor went undetected. The individual earned a salary that experts believe was funnelled back to North Korea through a complex laundering process designed to circumvent international sanctions on the regime.

The breach came to light only after the company terminated the individual over performance issues.

Shortly after being sacked, the company received a ransom demand via email. The hacker threatened to release or sell the stolen data unless the company paid a six-figure sum in cryptocurrency.

The exact amount of the ransom has not been disclosed, and the firm has not revealed whether they paid the demanded ransom.

Cybersecurity firm Secureworks was brought in to assist in the investigation and help mitigate the fallout from the breach. They have since issued a public warning, highlighting a new escalation in North Korea's long-standing efforts to generate income through its rogue cyber units.

The incident comes amid a growing pattern of North Korean workers infiltrating Western firms, posing as legitimate employees, often in remote technical roles.

Cybersecurity firm Mandiant recently revealed that dozens of Fortune 100 companies have unwittingly hired North Korean operatives. Most incidents have involved low-level fraudulent activity, with employees sending their earnings back to North Korea.

In July 2023, a North Korean IT worker was caught attempting to hack their employer, KnowBe4, a cybersecurity firm. The company quickly disabled the worker's access when suspicious activity was detected.

The UK government's Office of Financial Sanctions Implementation (OFSI) has issued a warning to companies about the risks of hiring North Korean IT workers. Such actions could violate the significant sanctions currently in place against the regime.

OFSI has also published a list of tell-tale signs that a contractor may be a North Korean agent, including inconsistencies in their information, refusal to appear on camera, and unusual requests for payment.

Last year, Microsoft issued a warning about a new social engineering campaign targeting LinkedIn users conducted by the North Korean hacking group Sapphire Sleet.

This group, known for its involvement in cryptocurrency theft and phishing attacks, created fake skills assessment portals to gather sensitive personal information and credentials.

Microsoft advised LinkedIn users, particularly those in IT and recruiting roles, to be cautious of unsolicited messages containing links or skill assessment offers. The company said it was essential to verify the authenticity of any websites before providing any personal information or login credentials.