A venture capitalist, a recruiter at a large company, and a newly hired remote IT worker may not seem to have much in common, but they all belong to North Korea, according to security researchers. He was reportedly arrested as a fraudster secretly working for the government.
On Friday, security researchers presented their latest assessment of the North Korean threat at Cyberwarcon, an annual conference in Washington, DC focused on disruptive threats in cyberspace. Researchers say North Korea's hackers continue to masquerade as prospective job seekers at multinational companies in order to make money for the North Korean regime and steal trade secrets favorable to its weapons program. warned about. These fraudsters have raked in billions of dollars in stolen cryptocurrencies over the past decade to fund the country's nuclear weapons program while circumventing numerous international sanctions.
Microsoft security researcher James Elliott said in a speech at Cyberwarcon that North Korean IT officials have already created false identities to infiltrate “hundreds” of organizations around the world, while said it relies on a U.S.-based intermediary for processing and income to avoid company-issued workstations. Financial sanctions applied to North Korean nationals.
Researchers studying the country's cyber capabilities believe that today's growing threat from North Korea is a nebulous constellation of different hacking groups with different tactics and techniques. , whose collective goal is to steal cryptocurrencies. The regime faces little risk of hacking. The country is already under sanctions.
One group of North Korean hackers, which Microsoft calls Ruby Sleet, has infiltrated aerospace and defense companies with the goal of stealing industry secrets that could help further develop weapons and navigation systems.
In a blog post, Microsoft details another group of North Korean hackers it calls the “Sapphire Three,” who are targeting recruiters and startups in campaigns aimed at stealing cryptocurrencies from individuals and businesses. He was pretending to be a capitalist. After making contact with a target through a decoy or initial contact, North Korean hackers set up a virtual meeting that was actually designed to load improperly.
In a fake VC scenario, scammers pressure victims into downloading malware disguised as a tool to repair interrupted virtual meetings. In a fake recruitment campaign, scammers ask candidates to download and fill out a skills assessment, which actually contained malware. Once installed, the malware can gain access to other materials on your computer, such as your cryptocurrency wallet. Microsoft announced that hackers have stolen at least $10 million in cryptocurrencies in the last six months alone.
But the most persistent and difficult-to-counter campaign so far has been a campaign by North Korean hackers trying to capitalize on the remote work boom that began during the coronavirus pandemic and seek to hire remote workers at large companies. This is an initiative.
Microsoft claims that North Korean IT workers have the ability to deceive and get hired by large companies and make money for the North Korean regime, while at the same time stealing trade secrets and intellectual property; He called the ability to blackmail someone by threatening to expose them a “triple threat.” information.
Of the hundreds of companies that inadvertently hired North Korean spies, only a handful have come forward publicly as victims. Security firm KnowBe4 announced earlier this year that North Korean employees had been tricked into hiring the company, but the company blocked remote access for employees who realized they had been tricked and said no internal data was stolen. .
How North Korean IT workers trick companies into hiring them
A typical North Korean IT worker campaign involves creating a series of online accounts, such as a LinkedIn profile or GitHub page, to establish a level of professional credibility. IT workers could use AI to generate fake identities, including face-swapping and voice-altering technologies.
Once hired, the company ships the employee's new laptop to their home address in the United States. This address, unknown to the company, is operated by a facilitator tasked with setting up a farm of company-issued laptops. The intermediary also installs remote access software on the laptop, allowing North Korean spies on the other side of the world to log in remotely without revealing their true location.
Microsoft has also observed that the country's spies operate not only from North Korea, but also from Russia and China, close allies of the breakaway state, and that companies are tracking suspected North Korean spies within their networks. He said it is becoming more difficult to identify.
Microsoft's Elliott said the company got lucky when it mistakenly received a public repository that belonged to a North Korean IT employee. It said it contained spreadsheets and documents detailing the campaign, including false identification documents and resumes belonging to North Korean IT workers. It was used for employment and money earned during surgery. Elliott explained that the repository contains a “complete playbook” for hackers to carry out identity theft.
North Korea may also verify the fake ID's LinkedIn account as soon as it obtains the company's email address, in order to further strengthen the perception of the account's legitimacy. would use a certain trick.
This wasn't the only example in which researchers cited hackers' sloppy behavior as helping to uncover the true nature of their activities.
Hoi Myong, a researcher who goes by the handle SttyK, identified suspected North Korean IT officials by contacting them and uncovering holes in their false identities. He said he did.
During their talk at Cyberwarcon, Myung and SttyK spoke with a suspect, a North Korean IT worker who claimed to be Japanese, but in a message that included words that did not originally exist in Japanese. He said he was making linguistic mistakes, including using phrases such as The IT employee's identity had other flaws, including claiming to have a bank account in China but with an IP address that identified him in Russia.
The US government has already imposed sanctions on North Korean-affiliated organizations in recent years in response to the IT Worker Program. The FBI also warns that malicious actors are frequently using AI-generated images, or “deepfakes” sourced from stolen personal information, to land technology jobs. did. In 2024, U.S. prosecutors indicted multiple individuals for operating laptop farms that facilitated sanctions evasion.
But companies need to do more to vet potential employees, the researchers argued.
“They're not going away,” Elliott said. “They'll be here for a long time.”
A photo of the Cyberwarcon logo projected on a wall at a cybersecurity conference in Washington, DC. Image credit: TechCrunch
Source link