Last year, detailed reports from cybersecurity firms like Mandiant and unsealed federal charges shone a spotlight on the widespread issue of the Democratic People’s Republic of Korea (DPRK) fraudulent remote IT workers.
The flurry of illicit activity piqued our interest at SpyCloud, where we closely track cybercriminal activity and research emerging threats. Research now shows nearly all of the Fortune 500 interacting and potentially inadvertently hiring DPRK IT workers.
When we took a look at our own data lake, we found some interesting supportive findings.
How the employment fraud schemes work
In these schemes, individuals acting on behalf of the North Korean government participate in what’s broadly become known as employment fraud, obtaining remote work positions in software engineering and IT under fraudulent identities at US organizations. Their paychecks then presumably go towards funding the North Korean regime. The FBI has also warned that these individuals are increasingly engaging in data-theft extortion against the companies that have inadvertently hired them.
Unfortunately for the participants in these schemes, they are just as susceptible to being infected by malware as anyone else. With that in mind, we found a starting point for a deeper investigation, picked up a trail, and it led our researchers to some interesting insights.
What can we learn from a malware infection log? Self-infection insights from when bad actors infect themselves
Stealer logs generally contain an infected user’s system information, account login credentials, and browser cookies. In addition, they can also contain more detailed information like browsing history, desktop files, installed software, running processes, data scraped from notes applications, and screenshots from the device.
Because of this, malware logs can reveal substantial information about these workers’ daily digital activities, give us insight into their TTPs, and allow us to identify organizations where they have applied and potentially been hired.
How we were able to identify DPRK workers participating in this employment scheme
In order to narrow down our infostealer malware data to identify the self-infections out of our database of billions of malware records, we initially started by using the following basic pivoting logic:
01
Astrill VPN
Often we start a search like this within the SpyCloud Investigations solution using IP addresses. Like most of the DPRK’s cyber operations, the individuals involved appear to be located outside of North Korea, with many operating out of Chinese provinces near the North Korean border. This is mostly out of operational necessity; North Korea has extremely limited access to electricity and virtually no internet access. Mandiant published a list of IP addresses that they observed being used by DPRK remote workers. Many of these IP addresses are associated with the Astrill VPN service, a popular VPN in China. SPUR also published a much more extensive list of Astrill VPN IPs.
02
Job boards
Astrill VPN has been heavily used by DPRK IT workers, but it’s also popular for a wide variety of other typical Chinese users to bypass the “great firewall” when browsing the internet. The easiest way to narrow down our search further was to look for logs where the infected user appeared to be applying to a lot of jobs on Western recruiting websites such as Upwork, Taleo, Workday, iCIMS, and Greenhouse.
03
Confirmation
After looking for logs that fit this profile, we wanted to explore deeper within each of the remaining infostealer logs to find other clues that match the profile of a workstation being used for this activity. Some additional indicators that can further corroborate a likely fraudulent DPRK remote IT worker log include:
- Accounts for job and professional sites (like LinkedIn) that appear to fit into multiple distinct personas, but which all appear to share the same reused password
- Accounts for remote management software (like AnyDesk or TeamViewer) which the remote IT workers use to remotely access corporate devices in the US at “laptop farms”
- Accounts for websites used in persona creation, such as websites for purchasing stolen social security numbers, AI-powered tools for easily creating resumes, AI assistive writing tools, and AI image editing tools used to create and edit professional headshots
04
The smoking guns
Once we narrowed it down even further and determined that the IP address and account credentials in a log likely fit the profile of a fraudulent IT worker, we were able to look for even more compelling pieces of evidence. Generally, we found these either within the log itself, or by using OSINT methods to access and review some of the public accounts created by the IT workers like GitHub accounts, LinkedIn accounts, or resumes posted to filesharing sites.
In some logs, we were even able to find files that had been exfiltrated from the workstation’s Desktop or Documents folders that clearly showed side-by-side resumes: a resume taken from a real developer or IT worker in the US, and a copied fraudulent resume with very minor changes like the name, contact information, and professional headshot.
05
Feedback loop
After using this process to find DPRK remote IT worker self-infections, we were able to find additional high-value indicators to serve as initial pivot points and repeat the process.
Impact: The Fortune 500 and beyond
This process has enabled us to begin to identify the extensiveness of the DPRK campaign, confirming its impact on hundreds of US companies who are interacting and potentially inadvertently hiring DPRK IT workers.
With evidence of this happening as far back as 2018, the threat continues to gain traction and teams are really only now beginning to unravel the unprecedented scale of these hirings.
Our hope is by raising awareness of the issue, security teams can better combat existing risks and prevent unknowingly hiring and granting business access to these individuals in the future.
With that being said, the tools needed for identity analysis typically sit with security or IT, yet your HR team is likely vetting job candidates. As part of your business practices evolution, it’s important for operations and security teams to unite and collaborate on new, cross-functional workflows and playbooks that protect your entire organization from emerging threats that slip past traditional protective measures.
Learn more about how SpyCloud Investigations uncovers hidden risks like employment fraud.
Keep reading
