When an admin from the organization activated the new hire’s EntraID account, the team observed that the new hire used an EntraID login from a Dallas, Texas, IP address that deviated from his usual login regions (China). The EntraID login originated from an unmanaged device and used an IP address from the Astrill VPN, which is typically used by North Korea-linked IT workers.
Tue Luu, threat detection engineer at LevelBlue SpiderLabs, told CSO that it was the threat intelligence correlation that set alarm bells ringing. “These things are seldom determined by a single piece of information or telemetry or behavior; rather, they result from a confluence of suspicions and statistical anomalies.”
The North Korean fake IT worker scheme can allow operatives to steal sensitive data, proprietary source code, trade secrets, and intellectual property. It can expose organizations to ransom demands and the harvesting of credentials to maintain persistent unauthorized access.
