.png)
Date: 26/10/2023
Where: North Korea, International Targets (primarily US Tech firms)
Who’s involved: Hackers affiliated with the DPRK, Various US contractors and private companies, law enforcement bodies
What happened?
Recent reports by the US Government show an increase in North Korean hackers impersonating candidates for IT roles in various industries, posing as IT professionals in English-speaking regions.
The impersonation goes the other way, as well, with fake job opportunities being posted to various job search sites.
Assistance by AI language learning models, such as ChatGPT make these attacks increasingly effective.
Throughout the Summer of 2023, North Korean threat actors were discovered to be targeting foreign software developers via deceptive postings on GitHub.
29/09/2023 Investigators at ESET cybersecurity released a report linking a 2022 data breach from Spanish aerospace companies to social engineering attacks by a North Korean hacker posing as a recruiter for Facebook parent company, Meta. The spear phishing messages were distributed via LinkedIn.
17/10/2023 The US Department of Justice broke up what it called a ‘massive operation’ involving North Korean operatives fronting as seventeen different “legitimate” IT and recruitment firms.
18/10/2023 Microsoft Threat Intelligence released a report of how North Korean infiltrators have managed to install backdoors and other malware throughout the JetBrains’ TeamCity service network.
18/10/2023 The US Federal Bureau of Investigation released a report on the danger these DPRK operations present, and increased guidelines for organizations to handle potential intrusions.
Analysis:
The goals of these operations are varied, as some of them are intended to draw revenue through wages for North Korea’s missile program. Others are utilized for espionage, and theft of intellectual property.
Infiltration of the JetBrains TeamCity services potentially gave access to an unknown number of software development projects of some of the world’s largest corporations. JetBrains claims a user base of nearly 16 million, in 90 of the top 100 richest global firms.
Many of the falsified resumes are assembled from publicly available information via LinkedIn and other similar platforms. It’s believed that some of the LinkedIn based attacks are from real accounts that were, themselves, hacked by DPRK operatives.
These tactics coincide with a well-established history of high level DPRK operators, particularly the Lazarus Group APT, who the US government claims is sponsored directly by the North Korean state.
The lack of international accountability for North Korean threat actors empowers them to conduct operations for not only espionage, but acute ventures in cybercrime. It’s for this reason that DPRK operators are novel in their organized crime efforts. Lazarus Group has been able to steal billions of dollars that allegedly go towards the country’s missile development program and nuclear research.
Conclusion
North Korean hackers continue to pose a significant threat to organizations globally through exploiting the trust in professional networking platforms. These threat actors use a complex web of proxy servers and VPNs, anonymizing systems for money transactions, cryptocurrency exchanges, and AI assistance to avoid detection until the damage has already been done. As long as these operators continue to receive protection from the DPRK government, they cannot be prevented. The most effective way to combat this threat is through a bottom-up approach. IT candidates on job search sites, freelance software developers, and entrepreneurs in the tech space are urged to follow guidelines against various social engineering efforts, and remain aware of the issue.