CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

North Korea Deploying Fake IT Workers in China, Russia, Other Countries

The North Korean fake IT workers have infiltrated businesses in China, Russia, and other countries aside from the US.

The North Korean fake IT worker scheme is spread globally, with businesses in China, Russia, and other countries also affected, Microsoft says.

Recent reports have shown that hundreds of companies in the US, UK, and Australia have hired fake IT workers from North Korea, who generated millions in revenue for the Pyongyang regime between 2020 and 2023.

In addition to generating funds that fuel North Korea’s weapons program, the fake IT workers may also steal data from the hiring companies and extort them, Microsoft said in a presentation at the CYBERWARCON conference last week.

North Korea is evading “sanctions and other financial barriers by the United States and multiple other countries through the deployment of North Korean IT workers in Russia, China, and other countries,” the tech giant says.

Thousands of such workers have been dispatched abroad, with help from third parties who could create or rent bank accounts to them, purchase mobile phones and SIM cards on their behalf, and create accounts on social media sites and job portals to help them contact recruiters.

There are hundreds of fake profiles and portfolios for North Korean IT workers on GitHub, and last month Microsoft found a public repository containing resumes and email accounts, VPS and VPN accounts, playbooks, images of involved individuals, wallet information, online accounts (LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype), and a tracking sheet.

To facilitate landing jobs, the North Korean fake IT workers steal peoples’ identities and then use AI tools to add their photos to the documents stolen from their victims, including resumes and profiles that are submitted for job applications. They are also experimenting with voice-changing software.

“While we do not see threat actors using combined AI voice and video products as a tactic, we do recognize that if actors were to combine these technologies, it’s possible that future campaigns may involve IT workers using these programs to attempt to trick interviewers into thinking they are not communicating with a North Korean IT worker,” Microsoft notes.

Advertisement. Scroll to continue reading.

Other North Korean threat actors are relying on cryptocurrency theft to generate revenue for the regime. Overall, these hacking groups have stolen billions of dollars in cryptocurrency.

One of them, tracked as Sapphire Sleet and active since at least 2020, has been posing as a venture capitalist or as a recruiter, relying on various tactics to convince the intended victims into downloading malware or exposing their credentials, leading to device takeover and virtual asset theft.

Additionally, Microsoft has observed a threat actor tracked as Ruby Sleet conducting phishing campaigns against satellite and defense organizations to deploy backdoors and steal sensitive information.

“Ruby Sleet has targeted and successfully compromised aerospace and defense-related organizations. Stealing aerospace and defense-related technology may be used by North Korea to increase its understanding of missiles, drones, and other related technologies,” Microsoft notes.

In another presentation at CYBERWARCON, Microsoft detailed the activities of Storm-2077, a China-linked state-sponsored threat actor targeting government and non-government organizations in the US and abroad, including aviation, Defense Industrial Base (DIB), financial, legal services, and telecommunications entities.

Active since the beginning of the year and also tracked as TAG-100, the threat actor is relying on phishing and the exploitation of edge devices for initial access, harvesting sensitive information from emails, and account credentials for further access.

“We’ve also observed Storm-2077 successfully exfiltrate emails by stealing credentials to access legitimate cloud applications such as eDiscovery applications. In other cases, Storm-2077 has been observed gaining access to cloud environments by harvesting credentials from compromised endpoints. Once administrative access was gained, Storm-2077 created their own application with mail read rights,” Microsoft notes.

What makes Storm-2077 stand out from the crowd is its broad targeting of different sectors. According to Microsoft, this threat actor leaves no targets behind.

Just as Microsoft was detailing Storm-2077’s whereabouts, Google shed light on GlassBridge, a group of four companies engaging in disinformation campaigns in support of Chinese interests. The internet giant has blocked over 1,000 websites associated with GlassBridge from appearing in Google News features and Google Discover.

“We cannot attribute who hired these services to create the sites and publish content, but assess the firms may be taking directions from a shared customer who has outsourced the distribution of pro-PRC content via imitation news websites,” Google says.

Related: Iranian Hackers Target Aerospace Industry in ‘Dream Job’ Campaign

Related: US Cyber Force Assisted Foreign Governments 22 Times in 2023

Related: Hackers Steal $160 Million From Crypto Market Maker Wintermute

Related: Authorities Lag Against Fast-Evolving Cyberspace Threats: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.