Mandiant Exposes the Threat of North Korean IT Workers Posing as Foreign Nationals

Introduction

On September 23, 2024, Mandiant released a comprehensive report on the persistent threat posed by North Korean IT workers. Operating under the guise of non-North Korean nationals, these workers infiltrate companies globally to evade sanctions and generate revenue for the North Korean regime. This revenue is crucial for funding weapons of mass destruction (WMD) and ballistic missile programs. Mandiant's report highlights the sophisticated methods employed by these workers and offers insights on how organizations can detect and prevent such threats.

Report Overview

Since 2022, Mandiant has been closely monitoring IT workers aligned with the Democratic People's Republic of Korea (DPRK). These individuals seek remote positions in various industries, using fake identities to gain employment and financial benefits. According to a U.S. government advisory, these workers have exploited privileged access to facilitate malicious cyber activities, a fact corroborated by Mandiant's own incident response engagements.

Mandiant tracks these operations under the designation UNC5267. These workers primarily operate out of China, Russia, and smaller groups in Africa and Southeast Asia. Their strategy involves securing multiple remote jobs, often under false pretenses, while using stolen identities. In some cases, they even engage facilitators to help with money laundering and the delivery of company equipment. Once employed, these workers often gain elevated access to corporate networks, posing significant security risks.

The report provides detailed examples of fraudulent resumes and identities used by these individuals, showcasing how they create fake profiles with fabricated credentials. One notable instance involved a software engineer profile on Netlify, with stolen images and fake testimonials from high-profile professionals.

The potential consequences of these activities are far-reaching. Besides the direct financial impact—such as the $6.8 million generated from compromised U.S. identities—there's a risk of espionage or disruptive cyber operations. Although Mandiant has yet to observe clear evidence of these workers engaging in espionage, their prolonged access to corporate networks is concerning. Their actions compromise hundreds of companies and individuals, with a focus on Western organizations.

Insights and Analysis

Mandiant's incident response teams have uncovered a variety of tools and techniques used by DPRK IT workers, including remote access solutions like AnyDesk, Chrome Remote Desktop, and VPN services such as AstrillVPN. These tools allow the workers to manage multiple jobs remotely, often from locations far removed from where they claim to reside. Additionally, these workers have been observed using "mouse jiggling" software to remain active across multiple machines.

Organizations can protect themselves from these threats by implementing stricter background checks, including verifying identity through biometrics and requiring notarized identification. It’s essential to monitor the use of remote access tools and VPNs, ensuring they are not used to bypass corporate security policies. Training HR teams to identify inconsistencies in resumes and employment histories is also crucial.

The DPRK's IT workforce continues to present a significant cyber threat. Mandiant’s report underscores the importance of vigilance and proactive security measures in detecting these activities. Organizations must collaborate with security vendors and leverage threat intelligence to stay ahead of this evolving threat.

For organizations seeking to bolster their defenses, Mandiant offers threat hunting services tailored to individual environments, helping uncover hidden threats and strengthen security postures.

Indicators of Compromise (IOCs)

MITRE ATT&CK Techniques

References:

Staying a Step Ahead: Mitigating the DPRK IT Worker Threat | Google Cloud Blog

North Korea’s IT workforce presents a persistent and escalating cyber threat.

Google Cloud