New research from Mandiant has revealed workers from the Democratic People’s Republic of Korea (DPRK) have been posing as other nationalities in order to get hired by Western companies and infiltrate their systems.
One facilitator was found to have been helping IT workers use the stolen identities of over 60 US citizens at more than 300 companies, which resulted in over $6.8 million of revenue to be earned for the DPRK IT workers between 2020 and 2023.
The US Justice Department has reportedly arrested and charged several US citizens for running ‘laptop farms’, which would house the equipment US companies would send to new ’employees’. Once received, a facilitator would install remote access technology, which would allow the North Koreans to log in from overseas.
Stolen credentials
The tactic was first deployed in 2022, when the US government issued an advisory warning that workers from the DPRK were using remote employment opportunities to gain privileged access and enable malicious cyber activity.
By using ‘front companies’, thousands of individuals were able to earn salaries, sometimes at multiple companies, seemingly to generate revenue for the DPRK. The access the workers gained into US tech companies could then be used for intrusions or cyberattacks.
“The biggest concern I have is what happens if these threat actors go undetected long enough and are eventually given an order by the North Korean regime to launch a wide scale attack,” said Mandiant Principle Analyst, Michael Barnhart.
Although this sounds a bit far-fetched, it’s not the first time that threat actors from the DPRK have used the job market to deceive unsuspecting westerners. It was reported earlier this year that cyber criminals from the DPRK posted fake job adverts to trick candidates into downloading malware.
To mitigate the risks, Mandiant recommends spot checks where remote employees are required to be on camera, training employees on how to spot suspicious activity, and requiring US bank accounts for all financial transactions – as US accounts require a strict verification process.
Via The Record