back to article Biz hired, and fired, a fake North Korean IT worker – then the ransom demands began

It's a pattern cropping up more and more frequently: a company fills an IT contractor post, not realizing it's mistakenly hired a North Korean operative. The phony worker almost immediately begins exfiltrating sensitive data, before being fired for poor performance. Then the six-figure ransom demands – accompanied by proof of …

  1. Pascal Monett Silver badge

    Hiring a North Korean fake IT worker

    How on Earth do you not get a clue when the delivery address for the company laptop is in North Korea ?

    And an IT worker using a personal laptop ? No. He gets a fully locked-down laptop on which he can't install anything and, if he says that the camera isn't working, you know he's lying because you've tested the configuration first. Finally, he may be an IT contractor, but that doesn't mean he has access to everything. He has access to what you allow, the rest is out of bounds.

    Bloody hell, your security is your responsability.

    1. PCScreenOnly

      Re: Hiring a North Korean fake IT worker

      My comany laptop is locked, but so much software can get installed without admin and into appdata it is silly

      Even if it does ask for admin, close the prompt and into app data it goes

      1. Anonymous Coward
        Anonymous Coward

        Re: Hiring a North Korean fake IT worker

        Bigger companies (or at least, bigger companies concerned with security) tend to employ binary whitelisting (which looks like App Locker or WDAC on Windows). With binary whitelisting, even if the installer were to run, the resulting binary wouldn't (regardless of whether it existed in program files or app data or anywhere else on the device).

        1. Richard 12 Silver badge

          Re: Hiring a North Korean fake IT worker

          Erm, if the installer runs, then whatever system that was supposed to prevent unauthorised binaries from running has already failed.

          Installers are binaries - at least, they're sufficiently executable code that they can go ahead and do anything the user is able to do.

      2. Phil Koenig Bronze badge

        Re: Hiring a North Korean fake IT worker

        Decent corporate security tools can lock down all sorts of things on workstations including app installation no matter where the destination folder is.

        Google started the "install into appdata" garbage when they were trying to evade corporate policies on user-installed S/W to get Chrome into the door of all those companies.

        It started going downhill from there.

        Which is why clueful IT departments know how to block those installs too.

        1. Nick Ryan

          Re: Hiring a North Korean fake IT worker

          Installing into App Data, or to describe it better, installing for the current user is a standard installation target and not one that "Google started".

          When installing an application in Microsoft Windows there are two core options and this has been the case for a couple of decades (i.e. not new functionality):

          • (1) Install for all users - this requires Trusted Installer access which tends to require a local administrator account. An application installed in this way is available for all users on a shared device without duplication or further installations.
          • (2) Install for current user - this installs the application solely in the user's profile meaning for a shared computer multiple installations of the same application are required. This does not require elevated rights.

          For many years a lot of software developers only understood the Install for all users route and required administrator access for installation for applications which didn't need to be installed for all users.

          Naturally some application developers still didn't understand this and installed applications into the wrong %USERPROFILE%\AppData subdirectory as they couldn't understand the difference between Local, LocalLow and Roaming. This either led to ridiculously large roaming profiles or to data that should be roaming but isn't.

          Of course the free for all mess of that is %USERPROFILE%\AppData is down to Microsoft delivering a yet another half considered schema with no defined structure, no guides and no rules for use, so it inevitably became a free for all dumping ground mess and as a result was inevitably where Microsoft store apps got dumped (%USERPROFILE%\AppData\Packages) which is quite separate from one of Microsoft's previous application package schemes which is the differrent hell named "ClickOnce"...

      3. JohnG

        Re: Hiring a North Korean fake IT worker

        "My comany laptop is locked, but so much software can get installed without admin and into appdata it is silly"

        That laptop is not really locked down then.

        At the very least, any new executables should be flagged to the IT folk.

    2. Anonymous Coward Silver badge
      Facepalm

      Re: Hiring a North Korean fake IT worker

      According to the article, the laptops are delivered/rerouted to laptop farms - that'll be in the company's country - and the crooks presumably just access them remotely. This conveniently keeps the connection IP address local and avoids any corporate firewall blocking other countries.

      1. Prst. V.Jeltz Silver badge

        Re: Hiring a North Korean fake IT worker

        It was at that point I thought , its down to the interview then , how can you have a full interview and not realise its a NK hacker ?

        then the last paragraph reveals that did happen - to a security firm!

    3. MachDiamond Silver badge

      Re: Hiring a North Korean fake IT worker

      "Finally, he may be an IT contractor, but that doesn't mean he has access to everything. He has access to what you allow, the rest is out of bounds."

      I wonder about the prudence of these companies as well. If I hired a contractor for a project, they'd have access only to that project and maybe only the particular part of it that they have been hired to work on. When I hire the landscaping company to trim my trees, they aren't given access to the house. When I had a manufacturing company, I had a couple of parts made overseas, but I didn't deliver a full set of drawings for the whole product. I also didn't give the drawings labels that gave too much information.

      1. collinsl Silver badge

        Re: Hiring a North Korean fake IT worker

        > I also didn't give the drawings labels that gave too much information.

        If I were in that situation I wouldn't be able to resist labelling them things like "Kneecap crusher wheel 4" or "ACME dynamite de-flipper-overer mk8"

        1. MachDiamond Silver badge

          Re: Hiring a North Korean fake IT worker

          "If I were in that situation I wouldn't be able to resist labelling them things like "Kneecap crusher wheel 4" or "ACME dynamite de-flipper-overer mk8""

          I was a lot more boring and just gave them a number which is easier to track.

    4. Anonymous Coward
      Anonymous Coward

      Re: Hiring a North Korean fake IT worker

      > Finally, he may be an IT contractor, but that doesn't mean he has access to everything. He has access to what you allow, the rest is out of bounds.

      Depends on the role. Our help desk is manned by a contractor who lives in another country. Due to the nature of his job he needs access to things like the admin account of our office tenant...

      ...I should note that he was hired with an in-person interview before he moved back to his home country, and I am reasonably confident he is not Korean :)

  2. katrinab Silver badge
    Meh

    The delivery address is not in North Korea.

  3. Pope Popely
    Trollface

    Camouflaging destination

    See, it's not that easy. Shipping adress for notebooks isn't "North Korea", its "Best Korea". A trap for you young players.

    (Reminds me of GDR activity when a eastern agency luring west german soldiers used a WWII postcode starting with "W", suggesting western german origin.)

  4. Headley_Grange Silver badge

    "It's a pattern cropping up more and more frequently: a company fills an IT contractor post, not realizing that ......." it has bugger-all security processes to manage its sensitive data.

    My last proper company segregated and monitored its sensitive data and IT admins did not get automatic access to everything, everywhere from anywhere.

    1. Helcat Silver badge

      Alternatives are: Access to sensitive data is limited to one site only. New hires get test data access only and have to prove they're value to get anything more. Monitor data flow: Why is that data being copied from the prod server and by whom? If a new employee is acting strange, restrict their access until you know why they're doing what they're doing.

      Oh, and key infrastructure, network monitoring etc (the sensitive stuff) should only be done by trusted employees: Those who have been with you for some years. Not by the new hire who you've spoken to on teams but not actually met in person.

      Problem, obviously, is companies trying to save money by hiring cheap.

  5. Anonymous Coward
    Anonymous Coward

    Identity

    Don't know about elsewhere, but here (UK institution) anyone taken onto the payroll has to turn up in person at an administrative office with identity documents.

    1. Anonymous Coward
      Anonymous Coward

      Re: Identity

      That's nice, but it depends how much pushback the hiring managers give. If they claim they can't hire the right person, then a remote candidate might be their "only" option. Let's be perfectly honest, most managers are focused on short-term financial results, and security is an annoyance - until they destroy the company.

      As usual, in most businesses, things are far more messy than a security person's theoretical operating procedure would like.

      "They're working on project x so just give them access to all the files for that customer in case they need to refer back to previous work we did for them"

      "They need to access Google drive because customer y demands we use it to share data with them"

      "Please install z video conferencing client because this customer refuses to use Teams"

      Even where we've got no staff with admin privileges on their machines, and AppLocker locking down what can be executed, with enough time there are ways around all this.

      I'm going to assume Snowden was office based, and yet Iook what happened... The problem with remote working is that it makes all this stuff so much easier for a rogue employee.

      Tip: Watch out for candidates asking your hiring teams to visit their personal websites - had one of those this week and it was trying to install ransomware...

      1. Elongated Muskrat Silver badge

        Re: Identity

        That's nice, but it depends how much pushback the hiring managers give.

        There's specific legislation that means employers can get fined very heavily for failing to do DBS checks on their employees, establishing their true identity, and their right to work.

        If an employer isn't doing all of this, there's very strong odds that they're also not paying any taxes and operating out of a caravan in the car park of a disused industrial site as well. If this is your employer, you should probably dob them in. If it's you, then expect a visit from plod any day now.

        1. Anonymous Coward
          Anonymous Coward

          Re: Identity

          They just hire them as contractors.

          In any case, I highly doubt a UK DBS check works on a non-UK national.

        2. jotheberlock

          Re: Identity

          I don't think DBS checks are mandatory - not unknown, by any means, but not required every place I've worked. Providing a passport absolutely is, though, for immigration right-to-work checking reasons. I guess North Korea as a state entity can provide convincing fake ones, though.

          1. Nick Ryan

            Re: Identity

            What is required is to prove the legal right to work, not necessarily to provide a passport. A passport is good for this as it is photo ID and citizenship which makes it quite easy but it is not required.

        3. MachDiamond Silver badge

          Re: Identity

          "There's specific legislation that means employers can get fined very heavily for failing to do DBS checks on their employees, establishing their true identity, and their right to work."

          That will have so many holes it would be over the top for lingerie. The 'person' being hired is already known to be out of country and in many countries, forming a sole proprietorship or limited company can be very simple. The set up cost to ransom ratio doesn't move that much with having to form a company to be hired rather than a person. I know of a couple of places where I can purchase a (US) limited liability company that's all registered and "sitting on a shelf". Like some wines, a company with some aging might be more valuable so it can be more expensive to get one that wasn't formed last week, but it is still worth it.

          I could run the company from a caravan since it's common practice to have a professional "registered agent" that receives (and forwards) official notices and there are listed addresses that are no more than a receptionist that answers your phone, processes mail and can provide offices and meeting rooms by the hour.

      2. Elongated Muskrat Silver badge

        Re: Identity

        The problem with remote working is that it makes all this stuff so much easier for a rogue employee.

        I'd argue that this point is completely moot as well. Where a person is physically located when they exfiltrate company data onto a pen drive is totally irrelevant. Unless a workplace keeps all employees under constant surveillance, from multiple angles in the workplace, if anything, doing this sort of thing "in the office" will be easier because you could just transfer those GB of data straight off a corporate network onto a pen drive, rather than having to squeeze it through a gateway server, VPN, and domestic broadband.

        I think I can detect a faint whiff of someone who has an ulterior "get everyone back to the office" motive. You don't happen to be a corporate landlord by any chance, do you?

        1. Diogenes8080

          WFNK

          You can deliver a virtual desktop securely to any part of the planet, even on modest bandwidth. You do not need to give that worker anything other than type, click and see.

          The earlier posters were nearer the mark.

          Employing a worker sight unseen, and did we actually check the references we were given? Assume the qualifications and professional associations were from identity theft, so new hire X isn't really X at all.

          Not segmenting our information? That's just sloppy, and usually results from understrength support. No-one pays any attention until something really valuable is stolen, then suddenly meat's back on the menu, boys!

          "Customer Y demands [alternate insecure] product Y" - I feel your pain. Maybe sandbox, restrict and log? No, you CAN'T use it for everything!

          Oh, and fake worker isn't doing much work? Then neither is their manager, or the manager is managing too much else. Who signed off on this character, anyway?

          1. Giles C Silver badge

            Re: WFNK

            I started a contract in November 2020 the first time I met the people I was working with was about 18 months later.

            My job was to migrate a set of firewalls, after the first week of getting started I set off on documenting the firewall rules which took me a month.

            I later found out (during an exit interview) that they were concerned if I was getting anything done until I produced a 200 page report breaking down the firewall rules and detailing a full migration plan - I had been talking to other people in the company during this time so wasn’t completely a hermit. They must have liked me because after a break at another contract I got taken on as a permenant employee and have now been doing that for 18 months.

            1. MachDiamond Silver badge

              Re: WFNK

              "I later found out (during an exit interview) that they were concerned if I was getting anything done until I produced a 200 page report breaking down the firewall rules and detailing a full migration plan"

              If you had been working under a good manager, the company would have known you were getting things done. I worked on lots of stuff where once the goal posts have been placed, everybody goes off and gets there bit done with little to show until it starts getting put together and then, holy crap that was a lot of work and no sign of slacking. In the mean time, it's awfully quiet in here.

          2. MachDiamond Silver badge

            Re: WFNK

            "Who signed off on this character, anyway?"

            HR, duh.

            There used to be a time when a manager did the hiring and supervision, but that's not in fashion at the moment. The other thing that isn't considered is sending managers off to take courses in managing an unseen workforce. It must be incredibly more difficult than sitting in a private office and having to manage from a seated position that many managers do.

        2. Phil Koenig Bronze badge

          Re: Identity

          ...you could just transfer those GB of data straight off a corporate network onto a pen drive...

          On the networks I have managed, I tend to disable or restrict all the desktop USB ports for that reason. It doesn't take a wily attacker from North Korea to do something stupid with a USB port, regular employees do it all the time. Not necessarily because they are trying to overtly attack the company, but just because they are ignorant, self-centered, etc.

          Same goes for staff trying to plug random things into the ethernet jacks.

          1. Giles C Silver badge

            Re: Identity

            Usb lockdown is standard policy where I work, because I need to move firmware images around I have an exception for that, but I only use it a few times a year.

            I think it has standard policy for most places.

            We also use Cisco ISE to prevent random stuff being plugged in.

            The question about using a virtual desktop, I had a contract where there wasn’t a choice you had to use a virtual desktop from your own machine, as they didn’t supply company machines. Which meant when the server fell over everyone stopped working for an hour. Or if someone ran some really heavy processing stuff the rest slowed down. That was a strange company to work for and I was glad to leave it.

    2. AVR Bronze badge

      Re: Identity

      From another case where the FBI got involved - there was a laptop farm in the US, and someone in the US to be the face for that farm. I have no doubt the ID documents were the best that forgers could provide.

  6. Anonymous Coward
    Anonymous Coward

    Biz hired, and fired, a fake North Korean IT worker

    What? They hired what they thought was a "North Korean IT worker" and it turned out they were actually a fake one?

    Were they really a South Korean instead? Were they not really an IT worker at all? :-)

    1. Yet Another Anonymous coward Silver badge

      Re: Biz hired, and fired, a fake North Korean IT worker

      It was a TEMU North Korean IT worker

      1. collinsl Silver badge

        Re: Biz hired, and fired, a fake North Korean IT worker

        > It was a TEMU North Korean IT worker

        I'm a massive fan of their crisco switches, very cheap.

  7. Grunchy Silver badge

    Incompetent management

    The company I used to work for was hit with a click bait virus, the virus got control of a workstation, the server was completely unregulated, the contents got scrambled over a weekend, AND the IT moron never heard of “backups.”

    They got burned for $50,000. Also, the descrambling key didn’t work on everything (so a lot of CAD files were left corrupted).

    But it was ok. Turns out the reason they had so much incompetence in management was because they were running their own “stolen intellectual property” scams. It’s hard to find competent staff that also has to be at least this much <======> unethical in order for your application to be considered.

    (I blew the whistle with the association of professional engineers, now they are subject to frequent audit. Methinks “out of business” is their next play…)

  8. Anonymous Coward
    Anonymous Coward

    Double-Deep-Fake-Identity......

    Link: https://theintercept.com/2024/10/17/pentagon-ai-deepfake-internet-users/

    Ha......It was a Pentagon double-deep-fake identity. Obvious really!!!

    NOTHING you see on the internet is real!!! Not even on El Reg!!!

    Get a grip!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Double-Deep-Fake-Identity......

      That;'s what the MMB want you to think !

      1. Anonymous Coward
        Anonymous Coward

        Re: Double-Deep-Fake-Identity......

        Pah, everyone knows the Milk Marketing Board is just the paramilitary front of the Potatoe Council

        1. The Organ Grinder's Monkey

          Re: Double-Deep-Fake-Identity......

          Upvote for the "new American spelling" of potato...

          1. Yet Another Anonymous coward Silver badge

            Re: Double-Deep-Fake-Identity......

            The Potato Council is an industry body promoting the growing and consumption of Potatos

            While the Potatoe Council is a secret shadowy organization run by evil genius supervillain Dan Quayle

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like