North Korean IT workers, disguised as non-North Koreans, infiltrate various industries to generate revenue for their regime, evading sanctions and funding WMD programs by exploiting privileged access to enable cyber intrusions.
Facilitators, often non-North Koreans, assist these workers by laundering money, hosting company laptops, using stolen identities, and accessing international financial systems, which help the workers evade detection and maintain their positions.
UNC5267 is a North Korean threat group that leverages compromised identities to infiltrate Western companies, primarily in the U.S. tech sector, which operate remotely from locations like China and Russia and gain initial access through job applications and contractor roles.
Once inside, they engage in various tasks, often holding multiple positions simultaneously. Their objectives include financial gain, long-term network access, and potential espionage or disruptive activities.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
Researchers observed a campaign by DPRK IT workers using fraudulent resumes to gain remote IT positions. The resumes contained inconsistencies like US addresses with non-North American education and reused content.
Once employed, the workers accessed victim companies’ laptops remotely via a laptop farm with tools like GoToRemote and TeamViewer, likely from North Korea using Astrill VPN, which was hidden by requesting laptop shipment to a location different from their claimed residence.
It has been recommended that organizations implement stringent vetting processes to detect DPRK IT workers. These processes include requiring biometric information for background checks, conducting thorough interviews with cameras, and verifying identity through notarized proof.
Organizations should also train HR departments to identify inconsistencies in candidate profiles and monitor for AI to modify profile pictures, which can help organizations mitigate the threat posed by North Korean cyber actors.
To mitigate UNC5267 threats, they must verify phone numbers for VoIP usage, confirm laptop geolocation matches reported residency, restrict remote administration tools, monitor VPN connections, and detect mouse jiggling software.
Additionally, verifying laptop serial numbers, implementing hardware-based multi-factor authentication, and restricting IP-based KVMs can strengthen security against unauthorized access and malicious activities.
To mitigate remote employee risks, implement periodic video checks, provide ongoing security education, collaborate with threat intelligence communities, and restrict financial transactions to U.S. banks.
North Korea’s IT workforce poses a significant cyber threat due to its technical proficiency, evasion tactics, and dual motivations. These include increased frequency and sophistication of data breaches, intellectual property theft, and disruption of critical services.
Organizations must implement robust security measures, raise employee awareness, collaborate with industry peers, and leverage advanced threat detection tools to mitigate this threat.
Mandiant actively supports these efforts through partnerships and intelligence sharing, encouraging affected organizations to come forward and contribute to collective defense against DPRK cyber operations.
Analyse AnySuspicious Links Using ANY.RUN's New Safe Browsing Tool: Try It for Free