From Laptop Farms to Ransomware

Unpacking North Korea’s Cyber Agenda | APT45

Intro

In recent years, North Korea has become increasingly reliant on cyber operations as a critical instrument of generating income, and two recent cases outline the tactics employed by the regime. From the infiltration of IT roles in Western companies to the deployment of ransomware targeting critical infrastructure, North Korea’s cyber campaigns are expanding both in scope and impact.

The Case of Matthew Knoot

One of example of North Korea's deceptive tactics, is the recent arrest of Matthew Knoot, a 38-year-old man from Nashville, Tennessee.
Knoot was charged with facilitating a scheme that allowed North Korean IT workers to secure employment at American and British companies under stolen identities. By hosting company-issued laptops at his home, Knoot created a "laptop farm" that enabled North Korean operatives to log in remotely from China, masquerading as U.S. citizens. These workers were hired by companies in critical sectors such as media, technology, and finance.

Knoot’s also played a role in laundering the funds earned by these North Korean workers, funneling hundreds of thousands of dollars back to North Korea. These funds were (supposedly) used to finance North Korea's weapons programs. This case underscores the implications of cyber infiltration, as North Korean operatives use these positions not only to gather intelligence but also to generate revenue for the regime.

The arrest of Knoot is part of a broader U.S. effort to dismantle similar schemes. The U.S. government has launched initiatives to shutter these "laptop farms" and has imposed sanctions on entities employing North Korean IT workers. However, the challenge remains significant, as North Korean operatives continue to pose as foreign citizens to infiltrate companies, aiming to either generate funds or gain access to sensitive information.

APT45: From Espionage to Cybercrime

Similarly, APT45, a North Korean hacking group, has evolved from traditional cyber espionage to include financially motivated attacks. APT45 has been using fake IT workers to infiltrate companies, where they attempt to upload malware and carry out ransomware attacks. This shift from espionage to direct financial crime indicates a broader strategy by North Korea to bolster its economy through illicit cyber activities.

Mandiant’s report

The infiltration by fake IT workers is part of a larger campaign where these operatives secure legitimate roles within organizations, only to exploit their access for malicious purposes. A recent case involved a North Korean IT worker who attempted to deploy malware within a U.S. company after gaining employment under a false identity.

Both cases outline North Korea's broader strategy to leverage cyber operations for generating income. By infiltrating IT roles in companies and deploying ransomware, North Korea seeks to fund state priorities. These operations are not isolated incidents but part of a calculated plan.

---

Sources & Additional Reading

1. https://thehackernews.com/2024/07/north-korean-hackers-shift-from-cyber.html

2. https://thehackernews.com/2024/08/doj-charges-nashville-man-for-helping.html

3. https://therecord.media/tennessee-man-charged-over-north-korea-it-worker-scheme

4. https://www.informationweek.com/cyber-resilience/what-can-be-learned-from-knowbe4-s-north-korean-it-hire-#close-modal

5. https://attack.mitre.org/groups/G0138/

6. https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine