[ad_1]
A venture capitalist, a recruiter from a large company, and a newly hired remote IT worker may not seem to have much in common, but they were all caught as fraudsters secretly working for the North Korean regime, according to security researchers.
On Friday at Cyberwarcon, an annual conference in Washington, D.C. that focuses on disruptive threats in cyberspace, security researchers presented their latest assessment of the threat from North Korea. Researchers have warned of an ongoing attempt by the country’s hackers to pose as potential employees seeking work at multinational companies, with the aim of making money for the North Korean regime and stealing corporate secrets that benefit its weapons program. These fraudsters have amassed billions of dollars in stolen cryptocurrencies over the past decade to fund the country’s nuclear weapons program, evading a raft of international sanctions.
North Korean IT workers have already infiltrated “hundreds” of organizations around the world by creating fake identities, while relying on intermediaries based in the United States, said James Elliott, a security researcher at Microsoft, at a talk about Cyberwarcon. United to deal with workstations and profits issued by the company to avoid attacks. Financial sanctions that apply to North Koreans.
Researchers investigating the country’s cyber capabilities see the growing threat from North Korea today as a shadowy mass of different hacking groups with different tactics and techniques, but with the collective goal of stealing cryptocurrencies. The regime faces little risk from hacks, and the country is already suffering from sanctions.
A group of North Korean hackers that Microsoft calls “Ruby Slate.” Aerospace and defense companies at risk With the aim of stealing industry secrets that could help develop their weapons and navigation systems.
Microsoft detailed In a blog post Another group of North Korean hackers, dubbed “Sapphire Sleet,” disguised themselves as recruiters and venture capitalists in campaigns aimed at stealing cryptocurrencies from individuals and companies. After contacting the target through a lure or initial outreach, the North Korean hackers set up a virtual meeting, but the meeting is actually designed to load incorrectly.
In the fake VC scenario, the scammer then pressures the victim to download malware disguised as a tool to fix the broken virtual meeting. In a fake recruiter campaign, the scammer asks the potential candidate to download and complete a skills assessment, which actually contains malware. Once installed, the malware can access other items on the computer, including cryptocurrency wallets. Microsoft said hackers stole at least $10 million in cryptocurrencies over a period of just six months.
But the most persistent and difficult campaign to combat are efforts by North Korean computer hackers to hire them as remote workers at major companies, taking advantage of the remote work boom that began during the Covid-19 pandemic.
Microsoft has described North Korean IT workers as a “triple threat” for their ability to deceptively obtain jobs with major corporations and make money for the North Korean regime, stealing company secrets and intellectual property, and then blackmailing companies by threatening to reveal company secrets. Information.
Of the hundreds of companies that unwittingly hired a North Korean spy, only a few have come forward publicly as victims. Security company KnowBe4 said Earlier this year, she was tricked into hiring a North Korean employeeBut the company blocked remote access to the worker once it realized he had been deceived, and said no company data was taken.
How North Korean IT workers trick companies into hiring them
A typical campaign for North Korean IT employees creates a series of online accounts, such as a LinkedIn profile and a GitHub page, to establish a level of professional credibility. An IT worker can create fake identities using artificial intelligence, including using face-swapping and voice-altering technology.
Once hired, the company ships the employee’s new laptop to a home address in the United States, which, unbeknownst to the company, is managed by a coordinator tasked with creating farms of company-issued laptops. The facilitator also installs remote access software on the laptops, allowing North Korean spies on the other side of the world to log in remotely without revealing their true location.
Microsoft said it has also noted that the country’s spies are operating not only from North Korea but also from Russia and China, close allies of the breakaway state, making it difficult for companies to identify suspected North Korean spies in their networks.
Microsoft’s Elliott said the company had a lucky break when it inadvertently received a public repository belonging to a North Korean IT worker, containing spreadsheets and documents analyzing the campaign in detail, including files on fake identities and resumes of North Korean IT workers. . They were used to get hired and the amount of money made during the process. Elliott described buybacks as having the “entire playbook” for hackers to pull off identity theft.
North Koreans may also use tricks that can expose them as fake, such as instantly verifying their LinkedIn accounts for their fake identities once they have a company email address to give the accounts a greater perception of legitimacy.
This was not the only example provided by researchers of hackers’ negligence that helped expose the true nature of their operations.
Hui Myung, a researcher who uses the handle SttyK, said they identified suspected North Korean IT workers in part by contacting them to uncover loopholes in their fake identities, which are not always carefully constructed.
Speaking about Cyberwarcon, Myong and StyK said they spoke with a suspected North Korean IT worker who claimed to be Japanese, but would make linguistic errors in their messages, such as using words or phrases that didn’t even exist in Japanese. The IT worker’s identity had other flaws, such as claiming to have a bank account in China but having an IP address locating the individual in Russia.
The US government has already imposed sanctions on North Korea-linked organizations in recent years in response to the IT workers’ scheme. The FBI also warned that malicious actors often use artificial intelligence-generated images, or “deepfakes,” often obtained from stolen identities, to obtain tech jobs. In 2024, US prosecutors brought charges against Several individuals with Run laptop farms Which facilitates bypass sanctions.
But the researchers also urged companies to better screen their potential employees.
“They’re not going away,” Elliott said. “They’ll be here for a long time.”
[ad_2]