NICKEL TAPESTRY: North Korean IT Contractors Use Fake Identities to Infiltrate and Extort Western Companies

Researchers from Secureworks Counter Threat Unit (CTU) have uncovered various tactics used by North Korean IT workers in fraudulent employment schemes, tracked under the threat group NICKEL TAPESTRY. These workers have been observed infiltrating organizations by using stolen or falsified identities to secure employment, primarily in Western countries like the U.S., UK, and Australia. Their objective is to gain insider access to proprietary data, which is often exfiltrated shortly after they begin employment. In a marked shift from previous activity, these workers have started demanding ransom payments from former employers after stealing sensitive information. As noted by Secureworks, this move demonstrates a "calculated nature" in which stolen data is used for extortion, with significant monetary demands in cryptocurrency.

One tactic repeatedly observed involves fraudulent contractors requesting permission to use personal laptops instead of company-issued devices, citing a preference for virtual desktop infrastructure (VDI) setups. This approach helps these actors avoid the need for corporate laptops, which limits access to forensic evidence in the event of an investigation. Secureworks researchers found that many of these individuals attempted to reroute corporate laptop deliveries to third-party facilitators or avoided them entirely, relying on tools such as Chrome Remote Desktop and AnyDesk for remote access. In one case, a contractor exfiltrated proprietary data using a personal Google Drive account via a corporate VDI solution.

Additionally, North Korean IT workers often avoid video calls or claim technical issues with webcams during virtual meetings. Analysis revealed that some used virtual video clone software, like SplitCam, to facilitate these calls while hiding their true identity. Suspicious financial behaviors, including multiple changes to payroll bank accounts and the use of digital payment services like Payoneer, have also been noted. These patterns of financial manipulation and personal identity obfuscation align with the overarching strategies of the NICKEL TAPESTRY group, which supports North Korean government operations.

Investigations have also uncovered networks of interconnected fraudulent workers, with contractors providing references for each other, using similar resumes, and occupying the same roles in the same companies. Secureworks notes that these "links between contractors" suggest these workers may be co-located and even share job responsibilities. This organized and collaborative approach signals a heightened risk for companies, especially given the introduction of ransom demands and the clear financial motivation behind these schemes. As such, organizations are encouraged to conduct thorough background checks, especially for remote IT roles, and to closely monitor suspicious activity involving remote access tools or financial inconsistencies.