© IE Online Media Services Pvt Ltd
Tags:
Journalism of Courage
North Korean threat actors like Lazarus are notorious for using sophisticated methods to hack government websites and gain access to sensitive information stored on government servers. However, security researchers are now saying that hackers from the Hermit kingdom have stolen billions of dollars in cryptocurrency from hired remote IT workers, venture capitalists and recruiters from big companies.
According to a recent report by TechCrunch, security researchers at the Cyberwarcon, an annual conference that focuses on disruptive threats in cyberspace suggest that Noth Korean hackers have been posing as prospective employees who want to work at multinational corporations. Their main motive is to earn money for the North Korean government all the while stealing corporate secrets to benefit the country’s nuclear weapon program,
In the last decade or so, researchers say that North Korean hackers have stolen billions of dollars in cryptocurrency. At Cyberwarcon, a security researcher working at Microsoft named James Elliott says that North Korean IT workers have already infiltrated hundreds if not thousands of organisations around the world using fake identities. These workers rely on their US-based trainers to get access to workstations and earnings to bypass international sanctions put in place by countries around the world.
According to Microsoft, a group named Ruby Sleet has already infiltrated some aerospace and defence companies to fund North Korea’s nuclear weapon program and navigation system. In a blog post, the tech giant also said that a group named Sapphire Sleet disguised themselves as recruiters and venture capitalists and targeted unsuspecting victims by setting up virtual meetings.
North Korean hackers who impersonate venture capitalists pressurise their victims to download a malware-laced tool that would help them fix these virtual meetings. Other threat actors who pose as recruiters ask unsuspecting candidates to download malware-laden assessments to infect their systems with the aim of stealing cryptocurrency wallet credentials. In around six months Microsoft says these threat actors have taken in more than $10 million.
As it turns out, the typical North Korean IT worker campaign involves creating a bunch of online accounts on popular platforms like LinkedIn and GitHub, allowing them to build some professional credibility. These threat actors are also actively using AI tools that let them change their faces and change voices.
When a company hires a remote IT worker, it then ships their laptop to some address in the United States owned or rented by a middleman whose main responsibility is to gather loads of company-issued laptops. These facilitators are also tasked with installing software that allows them to remote access the system, which ultimately allows North Korean threat actors to log in to the system without having to disclose their real location.
These North Korea-based threat actors also use a bunch of tricks like verifying their false identities on LinkedIn using the very company email addresses they are hired for to make their profiles legitimate.
The Microsoft engineer James Elliott said that the tech giant once got access to a public repository that belonged to one of the North Korea-based IT workers which was full of spreadsheets and documents that helped them decipher the campaign in detail.
These documents also contained a bunch of false identities and resumes the threat actors were using to get hired along with the amount of money they have made so far. Elliott went on to say that these repositories act as complete playbooks for identity theft.
Security researchers said they also spoke with a North Korean IT worker who posed as Japanese and noted that the person would make use of words or phrases that don’t exist in the language. The IT worker in question also claimed that they had a bank account in China, but their IP address revealed that they were from Russia.
In the last few years, the US government has already issued sanctions against North Korea-linked organisations. This year, several individuals who were either helping these threat actors or running laptop farms have also been arrested, but, according to researchers, the problem can only be fixed by better vetting potential candidates.
