Secureworks® Counter Threat Unit™ (CTU) researchers have observed patterns and evolutions in IT worker schemes linked to the North Korean government (officially the Democratic People's Republic of Korea (DPRK)). In these schemes, North Korean nationals use stolen or falsified identities to obtain employment with Western companies under false pretenses. This activity has been documented in the U.S., UK, and Australia. The Federal Bureau of Investigation, together with other international agencies, have also warned employers about this threat and the corresponding tradecraft which ranges from hesitation or unwillingness to appear on camera to change of address upon hiring and even threat to release proprietary information if additional payments are not made.

Across numerous investigations, Secureworks incident responders identified technical and behavioral characteristics associated with these schemes. Multiple observed characteristics align with previous fraud schemes conducted by the NICKEL TAPESTRY threat group, which has historically relied on fraudulent workers to generate revenue for the North Korean regime. These funds reportedly contribute to weapons programs.

These activities build on a long running set of employment-related campaigns first discovered in 2019. Operation Dream Job targeted employees of cryptocurrency firms, software developers, and entities in the defense sector. The NICKEL ACADEMY threat group has continued to operate campaigns classified under this label, using social engineering tactics to deceive unknowing victims with fake job details and offers. Over the years, they have refined their tactics and tailored lure content to build rapport with victims prior to delivering malware. For example, in February 2024, CTU researchers investigated an operation by North Korean threat actors that turned out to be part of a campaign tracked as Contagious Interview. The attackers set up elaborate fake interview processes that deliver malware to unsuspecting, prospective, freelance, job candidates via software projects hosted on GitHub. The candidates are often software developers and/or associated with the cryptocurrency industry. The threat actors targeted freelance software developers on the online job marketplace Fiverr, posing as an employer and assigning job candidates a fake interview task that in fact contained malware. The interview tasks were hosted on several different GitHub repositories. The threat actors used social engineering to encourage targeted prospective job candidates to clone the repository and execute the contents, which included compromised npm packages containing malicious JavaScript containing the BeaverTail loader. At least one job candidate cloned the repository and executed malicious code on a company-issued laptop. Post-compromise activity revealed evidence that suggests the threat actors are targeting candidates on multiple freelance job platforms.

As well as targeting candidates, North Korean threat actors also target employers. A Justice Department announcement in May 2024 detailed a multi-year IT worker fraud scheme carried out on behalf of the DPRK. North Korean IT workers used stolen identities to gain employment in the U.S., Australia and other countries to illicitly generate revenue for the DPRK despite sanctions. The scheme generated at least $6.8 million USD of revenue for the DPRK to evade U.S. sanctions. As part of the investigation, law enforcement shuttered multiple "laptop farms" that hosted systems the workers could access remotely to appear they were working from a U.S. location. These employment-related schemes are primarily intended to generate revenue for North Korea, either via cryptocurrency theft or salaries but theft of intellectual property for intelligence-gathering purposes is potentially a secondary, tangential goal. This is an active campaign that will likely continue into 2025.

CTU researchers recommend that organizations thoroughly verify candidates' identities by checking documentation for consistency, including their name, nationality, contact details, and work history. Conducting in-person or video interviews and monitoring for suspicious activity (e.g., long speaking breaks) during video calls can reveal potential fraud. Organizations should be wary of candidates' requests to change their address during the onboarding process and to route paychecks to money transfer services. IT staff should restrict the use of unauthorized remote access tools and limit access to non-essential systems.