Microsoft Threat Intelligence analysts are presenting groundbreaking research on North Korean and Chinese hacking activities, shedding light on years of threat actor tracking, infrastructure monitoring, and attacker tooling analysis at this year’s CYBERWARCON.
The presentation “DPRK – All grown up” focuses on North Korea’s evolving computer network exploitation capabilities over the past decade.
North Korean threat actors have successfully stolen billions of dollars in cryptocurrency. They have developed and utilized multiple zero-day exploits.
Not only that even these threat actors have become experts in cryptocurrency, blockchain, and AI technology.
North Korea has found ways to circumvent financial barriers imposed by the United States and other countries:
- Deployment of North Korean IT workers in Russia, China, and other countries.
- These workers pose as non-North Korean individuals to perform legitimate IT work.
- The revenue generated from this work helps fund North Korea’s weapons programs.
While Microsoft observed that the North Korean threat actors primarily target the cryptocurrency and financial theft to fund weapons programs, information related to weapons systems, sanctions, and policy decisions.
Apart from this, they also target the IT work to generate revenue for their weapons program.
Microsoft’s presentation “No targets left behind” introduces Storm-2077, a Chinese threat actor specializing in intelligence collection. This actor targets:-
- Government agencies
- Non-governmental organizations
- Defense Industrial Base (DIB)
- Aviation sector
- Telecommunications industry
- Financial and legal services
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Specific North Korean Threat Actors
Sapphire Sleet
This actor has been active since at least 2020, focusing on cryptocurrency theft and network exploitation. Their methods include:
- Masquerading as venture capitalists to set up online meetings with targets.
- Posing as recruiters on professional platforms like LinkedIn.
.webp)
Ruby Sleet
Active since 2020, Ruby Sleet has significantly increased its phishing operation sophistication:
- Signing malware with legitimate but compromised certificates.
- Distributing backdoored VPN clients and other software.
- Developing custom capabilities for specific targets.
The North Korean IT workers are the “Triple Threat,” and all these workers pose a significant risk as they:-
- Earn money for the regime through legitimate IT work.
- Potentially access sensitive intellectual property and trade secrets.
- May steal and ransom sensitive company data.
.webp)
Organizations can take several steps to protect themselves by following guidance from US government agencies on identifying North Korean IT workers.
Educate HR and hiring managers on signs of potential North Korean IT workers, and even implement simple verification techniques during remote work interactions.
As cyber threats from North Korea and China continue to evolve, Microsoft’s presentations at CYBERWARCON 2024 provide crucial insights into the tactics, techniques, and procedures employed by these sophisticated threat actors.
Are you from SOC/DFIR Teams? – Analyse Malware & Phishing with ANY.RUN -> Try for Free