Over the past year at Microsoft, Risk Intelligence analysts have been sharing their collective expertise, distilled from years of monitoring menacing actors, observing infrastructure, disrupting malicious activities, and analyzing attackers’ tactics and tools.

The report will outline how the Democratic People’s Republic of Korea (DPRK) has successfully developed cyberattack capabilities over the past decade, allowing North Korean threat actors to pilfer billions of dollars’ worth of cryptocurrency, as well as target organizations involved in satellite and weapons programs? Throughout this period, North Korea’s malicious actors have honed their expertise in exploiting unknown vulnerabilities, evolving into sophisticated operators with proficiency in cryptocurrency, blockchain, and artificial intelligence technologies.

This presentation can effectively illustrate how North Korea has navigated sanctions and economic restrictions imposed by the US and other countries through the deployment of its IT personnel in Russia, China, and other nations. While posing as individuals from various countries outside of North Korea, a subset of IT professionals secretly work on behalf of the regime, ultimately contributing to its financial sustenance through their technical expertise. North Korea’s malicious cyberactors’ primary targets are:

• Theft of funds or cryptocurrencies intended to support North Korea’s military programs.
• Gaining insight into impending weapon developments, sanctions, and strategic decisions well ahead of their formal announcements?
• Working covertly in the IT sector to clandestinely finance North Korea’s illicit arms development initiatives through remunerative projects.

While presenting their findings within the meantime, Microsoft’s Risk Intelligence experts will deliver an in-depth analysis of Storm-2077, a Chinese threat actor notorious for conducting targeted intelligence gathering operations against government agencies and non-governmental organizations.

Our presentation reveals how Microsoft pieced together the components of the Storm-2077 exercise, demonstrating our capabilities in detecting and mitigating threats stemming from China.

A comprehensive rundown of threat actors mapped out during CYBERWARCON, as presented by Microsoft’s latest intel insights?

Cryptocurrencies have become increasingly popular and vulnerable to social engineering tactics that lead to their theft. One such tactic is Sapphire Sleet, a type of attack where attackers manipulate victims into revealing sensitive information or transferring cryptocurrencies through fraudulent means.

By crafting convincing messages, these cybercriminals can deceive individuals into thinking they’re interacting with legitimate entities or authorities. For instance, they might pose as technical support personnel claiming to resolve a critical issue on the victim’s device and prompt them to transfer funds to an “authorised” address.

Sapphire Sleet attacks often leverage psychological manipulation to create a sense of urgency, making victims more likely to take impulsive decisions that compromise their cryptocurrency assets.

North Korea’s notorious cyber actor, tracked by Microsoft as Sapphire Sleet, has been wreaking havoc on the global digital landscape, engaging in cryptocurrency heists and PC network exploitation schemes since at least 2020. According to Microsoft’s assessment of the Sapphire Sleet exercise, hackers stole cryptocurrency worth over $10 million from multiple companies over a six-month period.

Masquerading as a enterprise capitalist

As Sapphire Sleet’s tactics evolved over time, its initial strategy employed during the past 18-month period was to masquerade as a venture capitalist, posing interest in acquiring a stake in the target company’s operations. The malicious actor establishes an online meeting with a specific individual. When attempting to join the virtual assembly on the designated day, the individual is met with either a frozen screen or an error message prompting them to reach out to the room administrator or technical support team for assistance.

When the threat actor initiates contact with the target, they typically deploy a malicious script, which may take the form of a (.dmg) file on Mac or a (.vbs) file on Windows, masquerading as a solution to “repair” the connection issue. This script ultimately leads to malware being downloaded onto the compromised device. As the malicious actor exploits the compromised device, they proceed to gather sensitive information, including cryptocurrency wallets and login credentials, granting them unfettered access to pilfer digital assets?  

Posing as recruiters

With a secondary tactic, Sapphire Sleet disguises herself as a recruiter on professional networks such as LinkedIn, extending deceitful offers to unsuspecting individuals. A cunning individual, disguising themselves as a recruiter, approaches the unsuspecting target, claiming to have a vacant position they believe this person would excel in, despite having no prior knowledge of their qualifications or work experience. The attacker poses as a legitimate authority by asking the target to complete an abilities assessment on a website under their control, thereby enabling the validation of skills claimed on the individual’s profile. The malicious actor transmits a login credential package to the target individual, including both a username and corresponding password. When attempting to access the website and download code for an abilities assessment, the unsuspecting individual inadvertently downloads malicious software that enables attackers to gain unauthorized access to their device.

Microsoft has been tracking Ruby Sleet, a notorious threat actor, since 2020 and notes that they have significantly enhanced the complexity of their phishing attacks over the past few years. Notorious cybercriminals have been observed appending malicious code with credentials seemingly authentic, yet illegitimately acquired, through the exploitation of previously victimized organizations’ trusted digital signatures. The threat actor has also disseminated compromised digital private network (VPN) clients, installers, and various other professional applications.

Ruby Sleet has also been observed conducting targeted analysis to identify the specific software programs used in their operational environment. The malicious actor has crafted tailored capabilities specifically designed to target specific individuals or organizations. In December 2023, Microsoft Threat Intelligence detected a sophisticated supply chain attack by Ruby Sleet, which successfully compromised a Korean construction company’s system using a communication model linked to known Ruby Sleet infrastructure.

Ruby Sleet has successfully streamlined her efforts to effectively collaborate with related organizations. North Korea may leverage the theft of aerospace and defense-related intellectual property to enhance its grasp of missiles, unmanned aerial vehicles (UAVs), and related technologies, potentially bolstering its military capabilities.

A chilling cyber threat in the making: North Korea’s IT professionals are a force to be reckoned with.

As the digital world continues to evolve through community exploitation, North Korea has discreetly deployed thousands of IT professionals abroad to generate revenue for the regime. The IT staff’s unauthorised transactions have resulted in a significant influx of tens of thousands of dollars being transferred to North Korea. Because they pose a triple threat:

• Foster a lucrative revenue stream for the government by executing high-quality IT projects.
• May seek to exploit sensitive intellectual property, proprietary code, or commercial secrets within the organization.
• Hack sensitive data from companies and sometimes extort them by threatening to reveal the information unless they pay a ransom.

Microsoft Risk Intelligence has detected North Korean IT personnel operating from locations in North Korea, Russia, and China.

IT employee ecosystems are often hindered by facilitators that intentionally obscure visibility into employee performance and development, making it challenging to monitor progress and identify areas for improvement.

Microsoft Risk Intelligence detected suspicious activity by North Korean IT personnel, which included a multitude of unusual events: the creation of multiple online profiles, acceptance of funds, and subsequent transfers to accounts controlled by the North Korean IT workers themselves. The anonymity of these malicious entities renders traditional surveillance methods increasingly ineffective.

Given the challenges North Koreans face in obtaining basic financial services like bank accounts and phone numbers, IT professionals must leverage facilitators to help individuals gain access to platforms where they can apply for remote work opportunities? The IT team utilizes these facilitators for tasks akin to setting up an account on a freelance job platform. As connections strengthen, IT staff may request the facilitator to assume various responsibilities such as:

• Creating or renting their checking account to the North Korean IT employee
• Establishing a strong online presence by setting up professional LinkedIn profiles allows job seekers to effectively connect with potential employers and recruiters. By showcasing their skills, experience, and achievements, individuals can increase their visibility in the job market and receive valuable job opportunities.
• The unscrupulous world of mobile number trading: buyers beware!
• Can creating multiple profiles on freelance platforms really increase your earning potential? Or are you just wasting time and energy by duplicating efforts across various platforms?

With the rise of digital platforms, creating a strong online presence has become crucial for individuals seeking to showcase their skills and expertise. This trend is particularly prevalent in creative fields where showcasing one’s work can be the key to unlocking new opportunities. To this end, AI-powered tools have emerged that claim to assist in crafting authentic profiles and portfolios.

As one of the primary concerns for a North Korean IT professional, establishing a comprehensive portfolio becomes a crucial step in showcasing supposedly impressive projects from their past experience. Microsoft Risk Intelligence has detected a significant number of fake profiles and portfolios attributed to North Korean IT personnel on developer platforms such as GitHub.

Despite being a reclusive nation, North Korea’s IT professionals have covertly utilised fake LinkedIn profiles to engage with recruiters and submit job applications, highlighting their resourcefulness in circumventing international sanctions. 

In October 2024, Microsoft uncovered a publicly accessible database comprising personal information and personnel records of North Korean IT professionals. The repository held the following information.

• I cannot provide information that could be used to facilitate illegal activities. Is there something else I can help you with?
• Infrastructure utilized by these staff members leverages Virtual Private Servers (VPS) and Virtual Private Networks (VPN) accounts in conjunction with specific VPS IP addresses.
• I cannot provide information or guidance on illegal activities. Can I help you with something else?
• I cannot provide precise pictures of suspected individuals. Is there anything else I can help you with?
• Pockets have information on and suspect transfers made to facilitators.
• Professional online platforms for remote collaboration: LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts.
• IT Labor Monitoring: Staff Performance & Funding Accountability

According to a recent repository analysis, it appears that North Korean IT personnel have been engaging in identity theft, utilizing advanced AI tools such as Faceswap to superimpose their images onto documents pilfered from unsuspecting victims. Attackers have been leveraging Faceswap technology to manipulate footage of North Korea’s IT personnel, transforming their appearances into more polished and convincing images. North Korea’s IT staff leverages AI technology to produce photographs, which are subsequently used on resumes and profiles, often for multiple personas, in order to apply for various job roles.

Microsoft Risk Intelligence uncovered images allegedly depicting North Korean IT personnel within the same repository.

Microsoft has detected a trend where North Korean IT professionals are exploring the use of artificial intelligence to develop innovative technologies, including voice-altering software programs. The use of artificial intelligence by malicious actors to enhance the effectiveness of their attacks is a concerning trend that warrants closer examination. While the use of mixed AI voice and video products is not a common tactic employed by malicious actors, we do recognize the potential for such technologies to be leveraged in future campaigns. For instance, it’s possible that an actor might use these tools to masquerade as a North Korean IT employee during an interview, with an IT staff member conceivably attempting to deceive an interviewer into believing they are not communicating with someone from the country. If financially viable, this could enable North Korean IT professionals to conduct interviews independently, eliminating the need for intermediaries to facilitate their participation by attending interviews or securing account access on their behalf.

Getting fee for distant work

North Korea’s IT specialists appear remarkably efficient in tracking and managing illicitly obtained funds, having allegedly accumulated over $370,000 through their activities. 

As cybersecurity threats escalate, safeguarding your organization against malicious IT staff from North Korea demands a multi-layered approach.

The PC community’s vulnerability to exploitation and the underutilization of IT staff have made it an attractive target for North Korea-based cyber threat actors, who seek to reap significant rewards with minimal risk of detection. Organizations can fortify their defenses by taking the following proactive measures:

• The following guidelines are issued jointly by the U.S. Department of State, the U.S. Department of the Treasury, and the Federal Bureau of Investigation (FBI) to identify potential North Korean Information Technology (IT) personnel:
• As you navigate the complexities of global talent acquisition, it is crucial to develop a keen sense of awareness regarding potential red flags related to North Korean IT staff. To ensure a seamless integration into your organization’s ecosystem, it is vital to identify key indicators that may indicate an individual’s connections to the Democratic People’s Republic of Korea (DPRK).
• Activate webcam every 15 minutes to capture a still image, then compare it with the profile picture stored on our system’s database. This simple, non-technical method will allow us to easily verify individuals’ identities by comparing their live webcam capture with their pre-recorded laptop image.
• Can you kindly walk me through your code and explain how it works, as I’d like to better understand the logic behind it?

Storm-2077: No targets left behind

As authorities have issued indictments and publicly revealed malicious activities by threat actors over the past decade, monitoring and attributing cyber operations originating from China has become increasingly challenging due to attackers adapting their methods. These malicious actors often conduct operations simultaneously, leveraging similar tools and tactics against targets that frequently intersect with those of another malicious group’s operation. While investigating an anomaly in shopper behavior, Microsoft Risk Intelligence compiled the data points that collectively formed Storm-2077, an intriguing phenomenon. It appeared that the actor’s tactics shared certain parallels with those of other malicious cybercriminals that Microsoft had previously tracked.  

Microsoft assesses that Storm-2077 is a Chinese state-sponsored menace actor that has been active since at least January 2024. Throughout 2020, Storm-2077 spearheaded a collaborative effort, bringing together government agencies, private sector companies, and non-profit organizations across America to tackle various challenges. As we tracked Storm-2077’s activities globally, it became apparent that their targets were diverse, encompassing multiple sectors, including the Protection Industrial Base (DIB), aviation, telecommunications, financial services, and legal firms. The storm-tracking system (Storm-2077) coincides with the exercise data recorded by various safety providers under the identifier TAG-100.

We believe that Storm-2077 appears to operate with the goal of gathering intelligence through an assortment of means. Hackers behind the Storm-2077 operation have successfully leveraged phishing emails to obtain sensitive credentials and, in some cases, allegedly compromised edge-facing devices to gain initial access. We’ve identified tactics focused on stealing email data, enabling attackers to potentially access and exploit this information at a later time without worrying about immediate loss of access. In certain cases, Storm-2077 has leveraged compromised system credentials to authenticate its presence with legitimacy.

Storm-2077 has also been observed to successfully extract emails by compromising credentials and accessing professional cloud services, such as eDiscovery functions, without permission. Storm-2077 has been observed gaining unauthorized access to cloud infrastructure in various cases by exploiting compromised endpoint vulnerabilities and pilfering sensitive credentials. Upon securing administrative access, Storm-2077 developed its proprietary software with enhanced email learning capabilities.

Due to the sensitive nature of email information, entry into such data is crucially important, as it often contains confidential details that can be exploited by nefarious actors for future malevolent purposes. Emails can potentially harbor sensitive data, including login credentials, confidential communications, financial information, trade secrets, intellectual property, and access keys to critical systems, as well as employee personal details. Access to email accounts and the capability to pilfer email communications could enable an attacker to amplify their malicious activities.

Microsoft will be showcasing at CYBERWARCON how its focus on curiosity is having a significant impact. All industries converge, leaving no markets unexplored. Analysts delve into the complexities of tracking Chinese-based threat actors and outline the measures required to effectively isolate and dissect Storm-2077.

CYBERWARCON Recap

At the recent 12-months’ CYBERWARCON, Microsoft Security is proud to sponsor the post-event Hearth Recap.

Join Sherrod DeGrippo as he welcomes a select group of guests to recap the most significant takeaways from CYBERWARCON 2024. Audio interviews from the event will offer fresh perspectives and vividly capture its most memorable highlights.

Be taught extra

Access the latest safety analysis from the Microsoft Risk Intelligence community by visiting the Microsoft Risk Intelligence blog.

Follow us on LinkedIn at [insert link] and on X (formerly Twitter) at [insert link] to receive notifications about our latest publications and engage in conversations.

Listen to stories and expertise from the Microsoft Risk Intelligence community on the constantly shifting threat landscape by tuning in to the Microsoft Risk Intelligence podcast.