A bunch of Canadian news outlets are in a tizzy, suing OpenAI for allegedly using their content without permission. The Read more
India-based audio platform Pocket FM has a vast content library. However, CEO Rohan Nayak believes there is room for expansion Read more
ChatGPT Search, OpenAI's AI-powered web search experience, has officially launched for all ChatGPT users, introducing several new features to enhance Read more
Humanz, a cutting-edge marketing platform for content creators and brands, has officially made its debut in the U.S. market, as Read more
A venture capitalist, a recruiter from a big company, and a newly hired remote IT worker might not seem to have much in common, but all have been caught as imposters secretly working for the North Korean regime, according to security researchers.
On Friday at Cyberwarcon, an annual conference in Washington, D.C., focused on disruptive threats in cyberspace, security researchers offered their most up-to-date assessment of the threat from North Korea. The researchers warned of a sustained attempt by the country’s hackers to pose as prospective employees seeking work at multinational corporations, with the aim of earning money for the North Korean regime and stealing corporate secrets that benefit its weapons program. These imposters have raked in billions of dollars in stolen cryptocurrency over the past decade to fund the country’s nuclear weapons program, dodging a raft of international sanctions.
Microsoft security researcher James Elliott said in a Cyberwarcon talk that North Korean IT workers have already infiltrated “hundreds” of organizations around the world by creating false identities, while relying on U.S.-based facilitators to handle their company-issued workstations and earnings to skirt the financial sanctions that apply to North Koreans.
Researchers investigating the country’s cyber capabilities see the rising threat from North Korea today as a nebulous mass of different hacking groups with varying tactics and techniques, but with the collective goal of cryptocurrency theft. The regime faces little risk for its hacks — the country is already beset by sanctions.
One group of North Korean hackers that Microsoft calls “Ruby Sleet” compromised aerospace and defense companies with the aim of stealing industry secrets that could help further develop its weapons and navigation systems.
Microsoft detailed in a blog post another group of North Korean hackers, which it calls “Sapphire Sleet,” who masqueraded as recruiters and as a venture capitalist in campaigns aimed at stealing cryptocurrency from individuals and companies. After contacting their target with a lure or initial outreach, the North Korean hackers would set up a virtual meeting, but the meeting was actually designed to load improperly.
In the fake-VC scenario, the imposter would then pressure the victim into downloading malware disguised as a tool to fix the broken virtual meeting. In the fake-recruiter campaign, the imposter would ask the prospective candidate to download and complete a skills assessment, which actually contained malware. Once installed, the malware can access other material on the computer, including cryptocurrency wallets. Microsoft said the hackers stole at least $10 million in cryptocurrency over a six-month period alone.
But by far the most persistent and difficult campaign to combat is the effort by North Korean hackers to get hired as remote workers at big companies, piggybacking off the remote-working boom that began during the COVID-19 pandemic.
Microsoft called out North Korea’s IT workers as a “triple threat” for their ability to deceptively gain employment with big companies and earn money for the North Korean regime, while also stealing company secrets and intellectual property, then extorting the companies with threats of revealing the information.
Of the hundreds of companies that have inadvertently hired a North Korean spy, only a handful of them have publicly come forward as victims. Security company KnowBe4 said earlier this year that it was tricked into hiring a North Korean employee, but the company blocked the worker’s remote access once it realized it had been duped, and it said no company data was taken.
### How North Korean IT workers dupe companies into hiring them
A typical North Korean IT worker campaign creates a series of online accounts, like a LinkedIn profile and GitHub page, to establish a level of professional credibility. The IT worker can generate false identities using AI, including using face-swapping and voice-changing technology.
Once hired, the company ships off the employee’s new laptop to a home address in the United States that, unbeknownst to the company, is run by a facilitator, who is tasked with setting up farms of company-issued laptops. The facilitator also installs remote access software on the laptops, allowing the North Korean spies on the other side of the world to remotely log in without revealing their true location.
Microsoft said it’s also observed the country’s spies operating not only out of North Korea but also Russia and China, two close allies of the breakaway nation, making it more difficult for companies to identify suspected North Korean spies in their networks.
Microsoft’s Elliott said the company caught a lucky break when it received an inadvertently public repository belonging to a North Korean IT worker, containing spreadsheets and documents that broke down the campaign in detail, including the dossiers of false identities and résumés that the North Korean IT workers were using to get hired and the amount of money made during the operation. Elliott described the repos as having the “entire playbooks” for the hackers to carry out identity theft.
North Korean Hackers’ Sloppiness Exposed by Researchers
Researchers have uncovered instances of North Korean hackers using tactics that inadvertently revealed their true identities. For example, they would immediately verify false identities’ LinkedIn accounts upon receiving a company email address, in an attempt to bolster the accounts’ credibility. This carelessness, among other factors, contributed to the unraveling of their operations.
Identifying Suspected North Korean IT Workers
Hoi Myong and researcher SttyK highlighted the haphazard construction of false identities used by suspected North Korean IT workers. By engaging with these individuals and pointing out inconsistencies in their cover stories, such as linguistic errors or conflicting location information, researchers were able to unmask their true intentions. These findings shed light on the importance of thorough vetting processes to prevent the infiltration of malicious actors within organizations.
Challenges and Recommendations for Companies
Despite the efforts of law enforcement agencies to combat cyber threats associated with North Korean-linked organizations, the persistence of these actors underscores the ongoing challenges faced by companies in safeguarding their networks. The researchers emphasized the need for enhanced vetting procedures to detect and deter potential threats posed by individuals with deceptive intentions. As the threat landscape continues to evolve, organizations must remain vigilant in protecting their sensitive information from malicious actors.
