CrowdStrike investigated 320 North Korean IT worker cases in the past year

North Korean operatives seeking and gaining technical jobs with foreign companies kept CrowdStrike busy, accounting for almost one incident response case or investigation per day in the past year, the company said in its annual threat hunting report released Monday.

“We saw a 220% year-over-year increase in the last 12 months of Famous Chollima activity,” Adam Meyers, senior vice president of counter adversary operations, said during a media briefing about the report.

“We see them almost every day now,” he said, referring to the North Korean state-sponsored group of North Korean technical specialists that has crept into the workforce of Fortune 500 companies and small-to-midsized organizations across the globe. 

CrowdStrike’s threat-hunting team investigated more than 320 incidents involving North Korean operatives gaining remote employment as IT workers during the one-year period ending June 30. 

“It’s not just in the United States anymore,” Meyers said. The threat group escalated its operations throughout the past year, landing jobs at companies based in Europe, Latin America and elsewhere to earn salaries that are sent back to Pyongyang. 

CrowdStrike researchers found that Famous Chollima fueled that pace of activity with an assist from generative artificial intelligence tools that helped North Korean operatives maneuver workflows and evade detection during the hiring process.

“They use generative AI across all stages of their operation,” Meyers said. The insider threat group used generative AI to draft resumes, create false identities, build tools for job research, mask their identity during video interviews and answer questions or complete technical coding assignments, the report found.

CrowdStrike said North Korean tech workers also used generative AI on the job to help with daily tasks and manage various communications across multiple jobs — sometimes three to four — they worked simultaneously. 

Threat hunters observed other significant shifts in malicious activity during the past year, including a 27% year-over-year increase in hands-on-keyboard intrusions — 81% of which involved no malware. Cybercrime accounted for 73% of all interactive intrusions during the one-year period. 

CrowdStrike continues to find and add more threat groups and clusters of activity to its matrix of cybercriminals, nation-state attackers and hacktivists. The company identified 14 new threat groups or individuals in the past six months, Meyers said. 

“We’re up to over 265 named adversary groups that we track, and then 150 what we call malicious activity clusters,” otherwise unnamed threat groups or individuals under development, Meyers said. “This problem becomes more protracted and continues to proliferate into other countries that are looking to evolve their intelligence collection and espionage programs by adding offensive cyber operations.”