How We Identified Fake North Korean IT Workers Using Identity Matching

Table of Contents

Check your exposure

Last year, detailed reports from cybersecurity firms like Mandiant and unsealed federal charges shone a spotlight on the widespread issue of the Democratic People’s Republic of Korea (DPRK) fraudulent remote IT workers.

The flurry of illicit activity piqued our interest at SpyCloud, where we closely track cybercriminal activity and research emerging threats. Research now shows nearly all of the Fortune 500 interacting and potentially inadvertently hiring DPRK IT workers.

When we took a look at our own data lake, we found some interesting supportive findings.

How the employment fraud schemes work

In these schemes, individuals acting on behalf of the North Korean government participate in what’s broadly become known as employment fraud, obtaining remote work positions in software engineering and IT under fraudulent identities at US organizations. Their paychecks then presumably go towards funding the North Korean regime. The FBI has also warned that these individuals are increasingly engaging in data-theft extortion against the companies that have inadvertently hired them.

Unfortunately for the participants in these schemes, they are just as susceptible to being infected by malware as anyone else. With that in mind, we found a starting point for a deeper investigation, picked up a trail, and it led our researchers to some interesting insights.

SpyCloud has observed many of these DPRK fraudulent IT workers inadvertently infect their own workstations with commodity infostealer malware. Like other infostealer malware infections, the logs that are harvested from these infections are then sold and shared on the darknet, where SpyCloud recaptures, classifies, and parses them in bulk.

What can we learn from a malware infection log? Self-infection insights from when bad actors infect themselves

Stealer logs generally contain an infected user’s system information, account login credentials, and browser cookies. In addition, they can also contain more detailed information like browsing history, desktop files, installed software, running processes, data scraped from notes applications, and screenshots from the device.

Because of this, malware logs can reveal substantial information about these workers’ daily digital activities, give us insight into their TTPs, and allow us to identify organizations where they have applied and potentially been hired.

How we were able to identify DPRK workers participating in this employment scheme

In order to narrow down our infostealer malware data to identify the self-infections out of our database of billions of malware records, we initially started by using the following basic pivoting logic:

01

Astrill VPN

Often we start a search like this within the SpyCloud Investigations solution using IP addresses. Like most of the DPRK’s cyber operations, the individuals involved appear to be located outside of North Korea, with many operating out of Chinese provinces near the North Korean border. This is mostly out of operational necessity; North Korea has extremely limited access to electricity and virtually no internet access. Mandiant published a list of IP addresses that they observed being used by DPRK remote workers. Many of these IP addresses are associated with the Astrill VPN service, a popular VPN in China. SPUR also published a much more extensive list of Astrill VPN IPs.

02

Job boards

Astrill VPN has been heavily used by DPRK IT workers, but it’s also popular for a wide variety of other typical Chinese users to bypass the “great firewall” when browsing the internet. The easiest way to narrow down our search further was to look for logs where the infected user appeared to be applying to a lot of jobs on Western recruiting websites such as Upwork, Taleo, Workday, iCIMS, and Greenhouse.

03

Confirmation

After looking for logs that fit this profile, we wanted to explore deeper within each of the remaining infostealer logs to find other clues that match the profile of a workstation being used for this activity. Some additional indicators that can further corroborate a likely fraudulent DPRK remote IT worker log include:

04

The smoking guns

Once we narrowed it down even further and determined that the IP address and account credentials in a log likely fit the profile of a fraudulent IT worker, we were able to look for even more compelling pieces of evidence. Generally, we found these either within the log itself, or by using OSINT methods to access and review some of the public accounts created by the IT workers like GitHub accounts, LinkedIn accounts, or resumes posted to filesharing sites.

In some logs, we were even able to find files that had been exfiltrated from the workstation’s Desktop or Documents folders that clearly showed side-by-side resumes: a resume taken from a real developer or IT worker in the US, and a copied fraudulent resume with very minor changes like the name, contact information, and professional headshot.

05

Feedback loop

After using this process to find DPRK remote IT worker self-infections, we were able to find additional high-value indicators to serve as initial pivot points and repeat the process.

Impact: The Fortune 500 and beyond

This process has enabled us to begin to identify the extensiveness of the DPRK campaign, confirming its impact on hundreds of US companies who are interacting and potentially inadvertently hiring DPRK IT workers.

With evidence of this happening as far back as 2018, the threat continues to gain traction and teams are really only now beginning to unravel the unprecedented scale of these hirings. 

Our hope is by raising awareness of the issue, security teams can better combat existing risks and prevent unknowingly hiring and granting business access to these individuals in the future.

With that being said, the tools needed for identity analysis typically sit with security or IT, yet your HR team is likely vetting job candidates. As part of your business practices evolution, it’s important for operations and security teams to unite and collaborate on new, cross-functional workflows and playbooks that protect your entire organization from emerging threats that slip past traditional protective measures.

Learn more about how SpyCloud Investigations uncovers hidden risks like employment fraud.

Keep reading

Big News: Our Data is Going from “Once a Day” to “All Day, Every Day”
SpyCloud's continuous delivery model processes breach data in 2 hours, malware in 1 hour – giving cybersecurity teams the speed to detect and remediate threats before attackers weaponize stolen data.
July Cybercrime Update: The Latest Takedowns, Tycoon 2FA & the Tea Leak
From the XSS forum takedown to the Tea app data leak & Tycoon 2FA attacks, our July cybercrime update breaks down the biggest threats and news.
Tycoon Phishing Analysis
Trapped by the Tycoon: An Analysis of 150K Credentials Phished by Tycoon 2FA
SpyCloud analyzed 150K stolen credentials from Tycoon 2FA phishing attacks. See what the data reveals about targeted victims.

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.