In its lust for stealing cryptocurrency and sensitive information, North Korean hackers are disguising themselves as remote IT workers, recruiters, and even venture capitalists.
The increasingly sophisticated tactics being used by North Korea’s hackers was the topic at last month’s Cyberwarcon conference in Washington DC, where researchers described how billions of dollars in stolen cryptocurrency have helped sanction-hit Pyongyang fund its nuclear ambitions.
James Elliott, a member of the Microsoft Threat Intelligence Center (MSTIC), described how North Korean IT workers had gained employment at hundreds of unsuspecting companies around the world.
Using convincing false identities, complete with bogus LinkedIn profiles and GitHub accounts, AI-generated images, and voice-changing software, the bogus workers have succeeded in gaining remote employment in well-paid jobs.
Relying upon US-based go-betweens to receive company-issued laptops and launder their earnings, the “employee” gains remote access allowing them to work from within North Korea or its allies in China and Russia.
A North Korean who manages to get hired by a company which doesn’t realise they have employed a worker based in the sanctioned country clearly generates some income.
But there are even larger rewards for North Korea if it helps them steal money or cryptocurrency from the unwitting organisations, or if the “employee” succeeds in stealing intellectual property or information related to weapons systems and other data that could be valuable to the totalitarian state.
But IT expert isn’t the only disguise worn by the hackers.
Microsoft’s research highlights a threat group called “Sapphire Sleet” (also known as BlueNoroff, CageyChameleon, and CryptoCore) which has targeted organisations working in the cryptocurrency sector.
As the company describes, the members of Sapphire Sleet have impersonated venture capitalists or recruiters.
Feigning interest in investing in a company or dangling an enticing job offer, the Sapphire Sleet hackers arrange a virtual meeting with a targeted employee at the firm. But when the user attempts to connect to the video call, they are greeted by an error message and told to contact support for assistance.
After being contacted, the threat actor sends a “fix” to resolve the issue – which causes malware to be downloaded onto the targeted user’s computer and hunts for cryptocurrency wallets and other credentials.
The US government’s prosecution of individuals involved in such schemes and the imposition of sanctions has not prevented the threat from persisting. Companies are being urged to enhance their processes to ensure that remote workers are more thoroughly vetted.