Company accidentally hires North Korean IT worker for a remote job, here's what happened next

A company recently found itself in a precarious situation after accidentally hiring a North Korean IT worker who later stole sensitive data and attempted to extort the company after being fired. According to cybersecurity firm Secureworks, this marks a significant shift in tactics for North Korean IT workers, who have been posing as non-North Koreans to secure remote jobs and funnel earnings back to their home country.

The FBI had previously warned that thousands of North Korean IT workers are infiltrating companies in the US to generate revenue for the North Korean state, often working under false identities. However, this incident involves a more aggressive tactic — data theft and extortion.

The unnamed company, based in either the US, UK, or Australia, initially hired the North Korean worker as a contractor, with the individual falsifying employment history and personal details. Early into his four-month tenure, the worker used remote tools to infiltrate the company’s systems, downloading a large volume of sensitive data, according to Secureworks. After being dismissed for poor performance, the company began receiving emails with evidence of stolen data and a ransom demand for a six-figure sum in cryptocurrency.

Secureworks, which uncovered the activity through its Counter Threat Unit (CTU), shared the details with Business Insider but did not specify whether the ransom was paid. International sanctions on North Korea could prohibit companies from paying such ransoms, according to the firm. The motive behind these fraudulent IT worker schemes is to bypass sanctions and generate revenue for North Korea.

“No longer are they just after a steady paycheck,” said Rafe Pilling, director of threat intelligence at Secureworks’ CTU, highlighting the shift to more aggressive methods such as data theft and extortion. “They are looking for higher sums, more quickly, through data theft and extortion, from inside the company defences.”

The case raises concerns about insider threats and the growing infiltration of North Korean IT workers into the global workforce. Pilling advised companies to remain vigilant, suggesting the importance of running thorough identity checks, conducting in-person or video interviews, and being cautious of unusual requests, such as rerouting corporate IT equipment.

This is not the first time North Korean IT workers have come under scrutiny. Charles Carmakal, chief technology officer at Mandiant Consulting, warned last month that North Korean workers are increasingly targeting the US economy, with dozens of Fortune 100 companies having fallen victim to these schemes. In one notable case, US-based facilitators received laptops on behalf of North Korean workers, who then remotely accessed company systems.

In another case, an Arizona woman was accused of helping North Koreans secure remote-work jobs in the US, including positions at Fortune 500 companies, by masking their locations with US IP addresses.

Jake Moore, a global cybersecurity advisor at ESET, emphasised the importance of thorough vetting and background checks to prevent these types of breaches. “Insider threats are still a major concern for businesses, especially those targeted by nation-state threats,” Moore told Business Insider. He noted that while such processes can be time-consuming, they are essential to protect sensitive company data.