Microsoft Threat Intelligence analysts has shared new insights into North Korean and Chinese threat actors. At the recent CYBERWARCON, cybersecurity analyst shared details into the rise of attacks, the evolution of threat actor tactics, and the strategies employed by various state-backed groups.
Key highlights of the conference included detailed insights into North Korea’s cyber capabilities and the introduction of a new Chinese threat actor, Storm-2077, whose operations have been targeting government entities and organizations worldwide.
North Korean Hackers: A Decade of Evolving Tactic
One of the most talked-about presentations at CYBERWARCON was titled “DPRK – All Grown Up,” where Microsoft analysts shared how North Korean threat actors have advanced their cyber capabilities over the past ten years.
North Korea has successfully built an extensive computer network exploitation (CNE) capability, leveraging cutting-edge tools to steal billions of dollars, primarily in cryptocurrency, and target organizations involved with satellite systems and weapons technologies.
The presentation highlighted the group’s expertise in exploiting zero-day vulnerabilities, using cryptocurrency technologies, and even blockchain and AI to enhance their attacks. As part of their ongoing efforts to circumvent global sanctions, North Korea has deployed IT workers in countries like Russia and China.
These workers pose as individuals from non-North Korean nations, providing seemingly legitimate IT services while secretly generating revenue to fund North Korea’s weapons programs.
Microsoft analysts emphasized the three primary objectives of North Korean threat actors:
- Stealing money and cryptocurrency to fund the country’s weapons programs.
- Gathering sensitive information regarding weapons systems and policy decisions.
- Using IT work to generate revenue that directly supports North Korea’s military and cyber programs.
Storm-2077: A New Chinese Threat Actor
In addition to tracking North Korean cyber activities, Microsoft also provided an in-depth look into Storm-2077, a Chinese state-sponsored threat actor that has been active since at least January 2024.
This group, which Microsoft has identified through extensive intelligence collection, has launched widespread attacks targeting a diverse range of sectors, including government agencies, non-governmental organizations (NGOs), and industries such as defense, aviation, telecommunications, and financial services.
Storm-2077 is a highly sophisticated actor that conducts intelligence collection operations by exploiting phishing techniques and gaining access to compromised systems. They are notorious for using valid credentials and exploiting cloud-based applications to steal sensitive data, including emails, which may contain sign-in credentials, financial information, intellectual property, and confidential communications.
Microsoft’s research into Storm-2077 has shown that the group is particularly adept at exfiltrating email data. By stealing credentials and gaining access to cloud applications like eDiscovery tools, Storm-2077 can access vast amounts of sensitive information without immediate detection. Their operations are designed to extract intelligence without leaving a trace, allowing them to use the data for future attacks or strategic purposes.
Tracking and Attribution: Challenges in Cyber Operations
A major challenge in tracking Chinese state-sponsored cyber operations, as discussed in the talk “No Targets Left Behind,” is the overlap in tactics used by various Chinese threat actors. As these groups continually adjust their methods to evade detection, it becomes increasingly difficult to distinguish between them. Microsoft’s analysts explained how they pieced together the activities of Storm-2077, drawing from overlapping attack patterns and identifying unique markers that allowed them to attribute these operations to the Chinese state.
By meticulously tracking the group’s activities, Microsoft has identified a trend in the types of organizations targeted and the tools used. Storm-2077 primarily focuses on intelligence collection and aims to gather as much sensitive information as possible across multiple industries. This level of sophistication and persistence makes them a significant threat to national security and global industries alike.
Sapphire Sleet: North Korean Attacks on Cryptocurrency
In addition to its discussion of North Korean IT workers and state-sponsored cyber actors, Microsoft presented on the group known as Sapphire Sleet, a North Korean cyber unit that has been responsible for large-scale cryptocurrency theft. Operating since at least 2020, Sapphire Sleet has stolen millions of dollars in cryptocurrency from various companies. Their modus operandi includes social engineering techniques like posing as venture capitalists or recruiters to manipulate victims into downloading malware.
In one particularly common tactic, Sapphire Sleet initiates online meetings under the guise of discussing potential investments. When the victim attempts to connect, they are met with a frozen screen or an error message, prompting them to reach out for technical support. This contact initiates the malware download, compromising the victim’s device and allowing the attacker to steal cryptocurrency and other sensitive data.
Furthermore, the group has been observed using platforms like LinkedIn to pose as recruiters, reaching out to potential targets under the guise of job opportunities. They then trick victims into completing fraudulent skills assessments that lead to malware infections.
The Role of North Korean IT Workers in Cyber Operations
An increasingly concerning element of North Korean cyber activity involves the regime’s network of IT workers, who operate globally to generate revenue for the government. These workers, often located in countries like Russia and China, perform remote IT tasks for companies while secretly advancing North Korea’s cyber capabilities.
Microsoft has tracked these workers’ activities, revealing a network of facilitators who assist them in creating fake profiles and job applications. This practice allows North Korea to bypass sanctions and generate significant income while continuing to fund its weapons programs.
The North Korean IT worker network is considered a “triple threat” by Microsoft, as these workers:
- Perform legitimate IT tasks to generate revenue.
- Steal sensitive information, including intellectual property and trade secrets.
- Potentially extort companies by threatening to release stolen data unless paid.
The scale of this network is vast, with hundreds of fake profiles and portfolios used by these workers to gain employment through platforms like GitHub, LinkedIn, and Upwork. In some cases, AI tools such as Faceswap have been used to create convincing photos of North Korean IT workers, further complicating efforts to track and identify them.
Related