Thursday, December 5, 2024
HomeCyber CrimeGoogle Warns Of North Korean IT Workers Have Infiltrated The U.S. Workforce

Google Warns Of North Korean IT Workers Have Infiltrated The U.S. Workforce

Published on

SIEM as a Service

North Korean IT workers, disguised as non-North Koreans, infiltrate various industries to generate revenue for their regime, evading sanctions and funding WMD programs by exploiting privileged access to enable cyber intrusions. 

Facilitators, often non-North Koreans, assist these workers by laundering money, hosting company laptops, using stolen identities, and accessing international financial systems, which help the workers evade detection and maintain their positions.

UNC5267 is a North Korean threat group that leverages compromised identities to infiltrate Western companies, primarily in the U.S. tech sector, which operate remotely from locations like China and Russia and gain initial access through job applications and contractor roles. 

- Advertisement - SIEM as a Service
Observed image of threat actor resume 
Observed image of threat actor resume 

Once inside, they engage in various tasks, often holding multiple positions simultaneously. Their objectives include financial gain, long-term network access, and potential espionage or disruptive activities.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Researchers observed a campaign by DPRK IT workers using fraudulent resumes to gain remote IT positions. The resumes contained inconsistencies like US addresses with non-North American education and reused content. 

Once employed, the workers accessed victim companies’ laptops remotely via a laptop farm with tools like GoToRemote and TeamViewer, likely from North Korea using Astrill VPN, which was hidden by requesting laptop shipment to a location different from their claimed residence. 

Resume excerpt
Resume excerpt

It has been recommended that organizations implement stringent vetting processes to detect DPRK IT workers. These processes include requiring biometric information for background checks, conducting thorough interviews with cameras, and verifying identity through notarized proof. 

Organizations should also train HR departments to identify inconsistencies in candidate profiles and monitor for AI to modify profile pictures, which can help organizations mitigate the threat posed by North Korean cyber actors.

To mitigate UNC5267 threats, they must verify phone numbers for VoIP usage, confirm laptop geolocation matches reported residency, restrict remote administration tools, monitor VPN connections, and detect mouse jiggling software. 

Additionally, verifying laptop serial numbers, implementing hardware-based multi-factor authentication, and restricting IP-based KVMs can strengthen security against unauthorized access and malicious activities.

To mitigate remote employee risks, implement periodic video checks, provide ongoing security education, collaborate with threat intelligence communities, and restrict financial transactions to U.S. banks. 

North Korea’s IT workforce poses a significant cyber threat due to its technical proficiency, evasion tactics, and dual motivations. These include increased frequency and sophistication of data breaches, intellectual property theft, and disruption of critical services. 

Organizations must implement robust security measures, raise employee awareness, collaborate with industry peers, and leverage advanced threat detection tools to mitigate this threat. 

Mandiant actively supports these efforts through partnerships and intelligence sharing, encouraging affected organizations to come forward and contribute to collective defense against DPRK cyber operations.

Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...