Detail

Security researchers have uncovered a grand scheme to help North Korea revamp its budget. A venture investor, a recruiter from a large company, and a recently hired remote IT worker are all fake identities of the regime’s government hackers pretending to be what they are not, 24 Channels reported, citing TechCrunch.

At Cyberwarcon, the annual cyber threat conference in Washington, DC, security researchers presented their latest assessments of North Korea’s activities. They warned of constant attempts by hackers in the country to impersonate potential workers allegedly seeking jobs at multinational companies. But the real goal is simply to make money for the North Korean regime and steal corporate secrets that contribute to its weapons program. Over the past decade, these fraudsters have made billions of dollars from cryptocurrency to fund the nuclear programA number of international sanctions are being avoided.

Microsoft security researcher James Elliott says North Korean IT experts are already Infiltrated “hundreds” of organizations worldwideIt creates fake credentials by relying on American middlemen who manage workstations and make money to evade financial sanctions imposed on the country.

Researchers studying North Korea’s cyber capabilities see the growing threat as a mass of different hacking groups, each with their own tactics and methods. However, their common goal is to steal cryptocurrency. Since the country is already under sanctions, the regime takes little risk with hacking attacks.

• Security compromised by a group of hackers that Microsoft calls “Ruby Sleet” aerospace and defense companies will steal industrial secretscould help further develop weapons and navigation systems.
• On its blog, Microsoft also detailed information about “Sapphire Sleet,” another North Korean hacker group posing as recruiters and venture capitalists. They stole money from private individuals and companies.
  After contacting the victim, they held a virtual meeting but everything was designed in such a way that the program would run unsuccessfully. The fraudster forced the victim to download malware to supposedly fix the problem.
  In another method, the scammer asks you to download and complete a skills assessment that actually contains malware. After installation, the virus can gain access to other materials on the computer, including cryptocurrency wallets. At least $10 million has been stolen through these means in the last six months.
• But the most persistent and sophisticated campaign so far is an attempt by North Korean hackers to recruit for large companies under the guise of remote workers, taking advantage of the remote working boom that began during the Covid-19 pandemic. Microsoft has described North Korean IT workers as a “triple threat” for their ability to deceive themselves into jobs at major companies and make money for the North Korean regime, as well as steal company secrets and intellectual property and then extort money from victims. Threatens to disclose data.

Of the hundreds of companies that unwittingly hired a North Korean spy, only a few have publicly admitted to being victims. One of them is security company KnowBe4. Earlier this year, he said he was tricked into hiring a North Korean employee, but when the company realized he had been tricked, it blocked the employee’s remote access and said no data was stolen.

How does this method work?

To carry out their plan, hackers create a series of accounts, such as a LinkedIn profile and a GitHub page, to establish a level of professional credibility. An IT worker can create fake identities using artificial intelligence, including using face and voice swapping technology.

After hiring, the company ships a new laptop to the employee’s U.S. home address, where an agent is assigned to create a “farm” of company-issued laptops. The middleman also installs remote access software on laptops, allowing North Korean spies on the other side of the world to remotely log into the system without revealing their real location.

Microsoft said this Spies operate not only from North Korea, but also from Russia and ChinaTwo close allies of the regime are making it difficult to identify suspects in the networks.

How did Microsoft uncover this conspiracy?

Microsoft’s James Elliott said: The company got lucky when it accidentally gained access to a storage area belonging to a North Korean IT worker. IT It contained a file of fake IDs and resumes used by North Korean IT workers for recruitment, as well as spreadsheets and documents detailing the entire hacking campaign, including the amount of money made in the operation. The vaults contain a “complete user manual” for hackers to steal personal data, Elliott said.

This is not the only carelessness of hackers. Microsoft noted many mistakes they and their colleagues made. In particular, fake identities were not always carefully created. They also made mistakes while interacting with victims and many others, which led to suspicions.

In one case, investigators known as Hoi Myong and SttyK spoke with a suspected North Korean IT worker who claimed to be Japanese but made linguistic errors in his messages, such as using words or phrases not found in Japanese. There were other flaws in the IT worker’s identity; for example, he claimed to have a bank account in China but had an IP address indicating he was in Russia.

The FBI also recently warned: Attackers often use AI-generated images or deepfakesObtained from stolen identity data to find a job in an IT company. In 2024, US prosecutors indicted several people who operated laptop farms that helped evade sanctions.

But researchers also suggest that companies need to do a better job of screening potential employees. “They’re not going anywhere. They’re going to be here for a long time,” Elliott said.