John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Two cases crossed the wire this week. Worth reading them together.
A data analyst with legitimate access to his employer’s systems used that access to steal company data and threaten to release it unless he was paid $2.5 million. Separately, three Americans – including an active-duty Army soldier – were sentenced for running laptop farms that helped North Korean operatives pose as US-based IT workers, collecting salaries and routing the proceeds back to DPRK weapons programs.
Different perpetrators. Different levels of sophistication. Same root vulnerability.
The Brightly Software Extortion
The North Carolina man convicted of extorting Brightly Software (a facilities management company later acquired by Siemens) didn’t need a zero-day. He had data access because his job required it, and he used it to take data he shouldn’t have taken, then threatened to release it.
That’s the whole story, structurally.
Brightly doesn’t manage state secrets. But the value of data in an extortion scheme doesn’t need to be intrinsic – it just needs to make an organization believe exposure costs more than payment. Data analyst contractors often have broad read access across systems, lighter vetting as consultants, and thinner offboarding oversight. They’re rarely the first person scrutinized when something goes wrong.
The North Korean IT Worker Scheme
The laptop farm operation is almost too absurd. Travis, an active-duty Army soldier, received $51,000 for hosting laptops at home and taking drug tests on behalf of North Korean workers. Sentenced to a year in prison, ordered to forfeit nearly $193,000. His co-conspirators made $3,500 to $4,500 each and face forfeitures that dwarf those numbers.
The scheme generated $1.28 million in salary payments from US companies that thought they were employing domestic IT workers. Someone with legitimate developer access to a US company’s codebase, operating under North Korean state direction, isn’t just a financial risk. It’s an insider threat with intelligence collection and potential sabotage dimensions.
As the US Attorney put it: “These men practically gave the keys to the online kingdom to likely North Korean overseas technology workers.”
Same Problem, Two Flavors
One is opportunistic insider greed. The other is a nation-state revenue and intelligence operation requiring domestic accomplices. They’re not the same thing.
But they share a structural failure: insufficient oversight of people who had been granted legitimate access. Brightly’s contractor had access without adequate monitoring. The US companies hiring “remote workers” didn’t verify who they were actually hiring or monitor what those workers were doing inside their systems.
The access itself was the attack surface.
What to Actually Do About It
Contractors and remote workers with broad access should have that access scoped as narrowly as the job requires. Access reviews at offboarding – not just onboarding – are not optional. The DPRK IT worker problem has been publicly documented since at least 2022, with specific hiring verification guidance from CISA and FBI. Companies that haven’t reviewed their remote hiring practices against that guidance have work to do.
Neither case required exotic attacks. Both required organizations to stop treating “they have legitimate access” as the end of the risk conversation.