According to security researchers, an unexpected trio – an enterprise capitalist, a recruiter from a major corporation, and a recently hired remote IT employee – seemingly having little in common, were discovered to be secret operatives covertly working on behalf of the North Korean regime.
At the annual Cyberwarcon conference in Washington D.C., cybersecurity experts delivered their latest assessment of the threat posed by North Korea’s online activities. Researchers caution about a persistent effort by North Korea’s hackers to impersonate job seekers at multinational companies, seeking to funnel money back to the regime while pilfering sensitive information that fuels its nuclear programme? For nearly a decade, these fraudsters have amassed an enormous fortune in illicitly obtained cryptocurrency, totalling billions of dollars, which they have used to finance their country’s nuclear arsenal, successfully evading a plethora of international sanctions and restrictions.
Microsoft safety researcher James Elliott disclosed at Cyberwarcon that North Korean IT staff have successfully infiltrated numerous global organizations by creating fictitious personas, leveraging U.S.-based intermediaries to manage their company-issued equipment and evade financial sanctions imposed on Pyongyang.
Researchers studying the nation’s cyber prowess currently perceive North Korea as a murky aggregate of disparate hacking groups employing diverse tactics and methodologies to achieve their shared objective: cryptocurrency heists. With the country already struggling under the weight of crippling sanctions, the regime appears largely impervious to criticism over its cyber tactics.
North Korea’s notorious hacking collective, dubbed “Ruby Sleet” by Microsoft, is alleged to be involved in a systematic campaign to pilfer sensitive information and technological advancements that could potentially aid the development of the country’s military arsenal and navigation capabilities.
Microsoft has revealed another cohort of North Korean cyber attackers, dubbed “Sapphire Sleet,” who disguised themselves as recruiters and venture capitalists to orchestrate schemes aimed at siphoning off cryptocurrency from unsuspecting individuals and businesses. Following initial contact with their target, North Korean hackers typically orchestrate a digital meeting, but this gathering is actually engineered to fail in its intended purpose.
In the context of fake-Virus Control scams, the perpetrator would typically exploit the victim’s concerns by deceiving them into installing malicious software masquerading as a tool to fix the supposedly compromised digital infrastructure. In the fake-recruiter marketing campaign, an imposter would typically request that potential candidates complete an “abilities evaluation” – a seemingly legitimate assessment that actually harbored malicious malware. As soon as installed, the malware gains access to various files on the PC, including cryptocurrency wallets. According to Microsoft, hackers pilfered at least $10 million worth of cryptocurrency during a six-month period.
One of the most tenacious and vexing marketing campaigns to combat is the relentless effort by North Korean hackers to infiltrate major companies by posing as remote workers, capitalizing on the surge in remote work triggered by the COVID-19 pandemic.
Microsoft has labelled North Korea’s IT staff as a “triple menace” due to their tactics of deceivingly acquiring jobs at major companies, earning cash for the North Korean regime while simultaneously pilfering corporate secrets and intellectual property, and ultimately extorting these businesses with threats of revealing the stolen information.
Among numerous companies that unwittingly hired a North Korean spy, only a few have publicly acknowledged being victimized. A cybersecurity company, KnowBe4, initially fell victim to a phishing attack when an employee attempted to access the system remotely. However, the firm promptly detected the attempt and blocked the unauthorized login, ensuring that no sensitive data was compromised.
In North Korea, IT employees often develop an online presence by creating a chain of digital profiles, including LinkedIn and GitHub pages, to establish a measure of professional credibility. The IT employee can create fake identities using AI-powered tools, combining face-swapping and voice-changing capabilities.
Upon hiring, the corporation promptly dispatches the employee’s newly assigned laptop computer to a residence address in the United States, unknown to the company, which happens to be operated by a facilitator responsible for managing sprawling networks of corporate-issued devices. The facilitator secretly deploys a remote access tool on the laptops, allowing North Korean operatives elsewhere to login undetected, concealing their true whereabouts.
Microsoft has also detected foreign intelligence agencies operating beyond North Korea’s borders, with operatives based in Russia and China, two key allies of the pariah state, complicating efforts by companies to identify suspected North Korean agents within their own networks.
Microsoft’s Elliott noted a fortuitous turn when the company acquired an unintentionally public repository belonging to a North Korean IT employee, comprising spreadsheets and documentation that meticulously detailed the marketing campaign, including dossiers of false identities and resumes used by the North Korean IT staff to secure employment, as well as the financial gains made through the operation. Elliott referred to the repositories as containing the “comprehensive blueprints” for hackers to orchestrate identity theft operations.
North Korean scammers, seeking to masquerade as genuine entities, would often employ tactics designed to reveal their true nature, such as rapidly authenticating fake identities on LinkedIn by verifying false personas against newly obtained company email addresses to enhance their perceived legitimacy.
Researchers credited the hackers’ ineptitude with unwittingly revealing the extent of their illicit activities.
A cybersecurity researcher, Hoi Myong, along with another expert known as SttyK, reportedly identified suspected North Korean IT personnel by engaging with them and exposing flaws in their pseudonyms, which were not always meticulously crafted.
During their CyberWarCon discussion, Myong and SttyK recounted a conversation with a suspected North Korean IT employee posing as Japanese, who consistently employed linguistic errors reminiscent of non-existent Japanese phrases. The IT employee’s identity exhibited several inconsistencies, akin to asserting ownership of a Chinese bank account while simultaneously utilizing an IP address tracing back to Russia.
The U.S. Authorities have already responded positively to the IT staff scheme. The FBI has also been concerned about the use of “deepfakes,” often created using stolen identities, to secure high-tech job positions. In 2024, U.S. Prosecutors introduced evidence of expenses incurred to facilitate circumvention of sanctions.
Firms must conduct more thorough due diligence on prospective employees, experts advise.
Elliott’s voice was resolute as he declared, “They’re not going away.” “They’ll be around for an extended period.”
