Global Businesses Impacted by North Korean Fake IT Workers Scam and Data Theft
The North Korean fake IT worker scheme has spread globally, affecting businesses in China, Russia, and other countries, according to Microsoft. Recent reports indicate that hundreds of companies in the US, UK, and Australia have unknowingly hired fake IT workers from North Korea, generating millions in revenue for the Pyongyang regime between 2020 and 2023.
Funding and Data Theft
These fake IT workers not only generate funds that fuel North Korea’s weapons program but may also steal data from the hiring companies and extort them. Microsoft highlighted this issue during a presentation at the CYBERWARCON conference last week.
Evasion of Sanctions
North Korea is evading sanctions and financial barriers imposed by the United States and other countries by deploying IT workers in Russia, China, and other nations. Thousands of these workers have been sent abroad with the help of third parties who create or rent bank accounts, purchase mobile phones and SIM cards, and set up accounts on social media sites and job portals to help them contact recruiters.
Fake Profiles and AI Tools
There are hundreds of fake profiles and portfolios for North Korean IT workers on GitHub. Last month, Microsoft discovered a public repository containing resumes, email accounts, VPS and VPN accounts, playbooks, images of involved individuals, wallet information, and online accounts (LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype), along with a tracking sheet. To secure jobs, these fake IT workers steal identities and use AI tools to add their photos to stolen documents, including resumes and profiles submitted for job applications. They are also experimenting with voice-changing software.
Potential Future Threats
While current threat actors are not using combined AI voice and video products, Microsoft recognizes the potential for future campaigns to involve IT workers using these technologies to deceive interviewers.
Cryptocurrency Theft
Other North Korean threat actors rely on cryptocurrency theft to generate revenue for the regime. These hacking groups have stolen billions of dollars in cryptocurrency. One such group, tracked as Sapphire Sleet and active since at least 2020, poses as venture capitalists or recruiters to convince victims to download malware or expose their credentials, leading to device takeover and virtual asset theft.
Phishing Campaigns
Microsoft has also observed a threat actor tracked as Ruby Sleet conducting phishing campaigns against satellite and defense organizations to deploy backdoors and steal sensitive information. Ruby Sleet has successfully compromised aerospace and defense-related organizations, potentially using stolen technology to enhance North Korea’s missile, drone, and related capabilities.
China-Linked Threat Actor
In another presentation at CYBERWARCON, Microsoft detailed the activities of Storm-2077, a China-linked state-sponsored threat actor targeting government and non-government organizations in the US and abroad, including aviation, Defense Industrial Base (DIB), financial, legal services, and telecommunications entities. Active since the beginning of the year and also tracked as TAG-100, this threat actor relies on phishing and the exploitation of edge devices for initial access, harvesting sensitive information from emails and account credentials for further access.
Broad Targeting
Storm-2077 stands out due to its broad targeting of different sectors. Microsoft noted that this threat actor leaves no targets behind.
Disinformation Campaigns
Simultaneously, Google shed light on GlassBridge, a group of four companies engaging in disinformation campaigns supporting Chinese interests. Google has blocked over 1,000 websites associated with GlassBridge from appearing in Google News features and Google Discover.
