North Korean Hackers: The Deceptive Tactics of NICKEL TAPESTRY

In an alarming revelation, cybersecurity firm Secureworks has unveiled a sophisticated scheme employed by North Korean hackers to infiltrate Western companies. These hackers, operating under the moniker NICKEL TAPESTRY, are posing as legitimate IT workers to steal sensitive data and extort ransom from their victims. This article delves into the tactics used by these cybercriminals, how they operate, and what organizations can do to protect themselves from this growing threat.

The Modus Operandi of NICKEL TAPESTRY

NICKEL TAPESTRY has developed a cunning strategy that involves creating fake identities to secure employment in reputable companies across the US, UK, and Australia. By applying for positions such as software developers, these hackers exploit the vulnerabilities in hiring processes to gain access to corporate networks.

Laptop Farms and Identity Deception

One of the most notable tactics employed by NICKEL TAPESTRY is the use of “laptop farms.” These are essentially operations where stolen or falsified identities are used to apply for jobs. Once hired, these fake workers often request changes to delivery addresses for corporate laptops, rerouting them to their laptop farms. This allows them to set up remote access to company networks without raising suspicion.

Moreover, they frequently express a preference for using personal laptops and virtual desktop infrastructure (VDI) setups. This tactic, previously warned against by the FBI, enables them to operate without leaving a digital footprint, making it challenging for companies to trace their activities.

Financial Red Flags

NICKEL TAPESTRY members often exhibit suspicious financial behaviors that can serve as warning signs for employers. These include frequent changes to bank account information and the use of digital payment services that bypass traditional banking systems. Such behaviors can indicate an attempt to obscure their financial transactions and avoid detection.

Advanced Evasion Techniques

To further conceal their identities, these hackers employ a range of technical tactics. They utilize residential proxy addresses and VPNs to mask their actual IP addresses, making it difficult for companies to track their online activities. Additionally, they may use software like “Splitcam” during video calls to simulate video interactions, creating fake AI clones of themselves to avoid showing their real appearance.

The Extortion Element

Perhaps the most concerning aspect of NICKEL TAPESTRY’s operations is the extortion element. In one documented case, a fake worker gained access to a company’s network, exfiltrated sensitive data, and subsequently demanded a six-figure ransom for its return after being fired for poor performance. This shift towards ransom demands marks a significant evolution in their tactics, increasing the potential financial damage inflicted on organizations.

Secureworks’ Counter Threat Unit noted that while the extortion aspect is new, the preceding activities align with previous schemes involving North Korean operatives. The collaboration among these fake workers is particularly alarming; they may provide fake references for each other, perform job duties on one another’s behalf, and communicate via email while masquerading as different individuals.

A Long-Standing Threat

The tactics employed by NICKEL TAPESTRY are not new. Similar fraudulent schemes have been observed since 2018, with North Korean operatives securing positions at Fortune 100 companies and funneling stolen intellectual property back to their home country. This stolen data could potentially fund North Korea’s weapons programs, including those related to weapons of mass destruction.

In May 2022, the US government issued warnings to organizations about North Korean hackers posing as IT freelancers claiming to be non-DPRK nationals. More recently, in July 2024, another attempt was made to infiltrate a prominent U.S.-based cybersecurity company, KnowBe4, where a hacker posed as an IT worker and attempted to install malware on a company-issued device.

Protecting Your Organization

Given the sophisticated nature of these attacks, how can organizations safeguard themselves against this evolving threat? Secureworks recommends several protective measures:

1. Thorough Background Checks: Conduct comprehensive background checks and verification of candidate identities. This should include scrutinizing their work history and references.

2. Identify Red Flags: Be wary of candidates who apply for roles with exaggerated experience, particularly in technical positions like full-stack development, while demonstrating novice to intermediate English skills.

3. Monitor Communication Patterns: Unusual communication hours, inconsistent communication styles, and excuses for not enabling cameras during interviews should trigger further investigation.

4. Educate Employees: Regular training sessions on recognizing phishing attempts and other cyber threats can empower employees to identify potential scams before they escalate.

5. Implement Security Protocols: Establish strict protocols for remote access to company networks, including multi-factor authentication and regular audits of access logs.

Conclusion

The tactics employed by North Korean hackers, particularly those associated with NICKEL TAPESTRY, represent a significant threat to organizations worldwide. By understanding their methods and implementing robust security measures, companies can better protect themselves from these deceptive tactics. As the landscape of cyber threats continues to evolve, vigilance and proactive measures will be key in safeguarding sensitive data and maintaining organizational integrity.