North Korean Group Infiltrated 100-Plus Firms with Imposter IT Pros (csoonline.com) 16
"CrowdStrike has continued doing what gave it such an expansive footprint in the first place," writes CSO Online — "detecting cyber threats and protecting its clients from them."
They interviewed Adam Meyers, CrowdStrike's SVP of counter adversary operations, whose team produced their 2024 Threat Hunting Report (released this week at the Black Hat conference). Of seven case studies presented in the report, the most daring is that of a group CrowdStrike calls Famous Chollima, an alleged DPRK-nexus group. Starting with a single incident in April 2024, CrowdStrike discovered that a group of North Koreans, posing as American workers, had been hired for multiple remote IT worker jobs in early 2023 at more than thirty US-based companies, including aerospace, defense, retail, and technology organizations.
CrowdStrike's threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The workers leveraged these RMM tools with company network credentials, enabling numerous IP addresses to connect to victims' systems.
CrowdStrike's OverWatch hunters, a team of experts conducting analysis, hunted for RMM tooling combined with suspicious connections surfaced by the company's Falcon Identity Protection module to find more personas and additional indicators of compromise. CrowdStrike ultimately found that over 100 companies, most US-based technology entities, had hired Famous Chollima workers. The OverWatch team contacted victimized companies to inform them about potential insider threats and quickly corroborated its findings.
Thanks to Slashdot reader snydeq for sharing the news.
They interviewed Adam Meyers, CrowdStrike's SVP of counter adversary operations, whose team produced their 2024 Threat Hunting Report (released this week at the Black Hat conference). Of seven case studies presented in the report, the most daring is that of a group CrowdStrike calls Famous Chollima, an alleged DPRK-nexus group. Starting with a single incident in April 2024, CrowdStrike discovered that a group of North Koreans, posing as American workers, had been hired for multiple remote IT worker jobs in early 2023 at more than thirty US-based companies, including aerospace, defense, retail, and technology organizations.
CrowdStrike's threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The workers leveraged these RMM tools with company network credentials, enabling numerous IP addresses to connect to victims' systems.
CrowdStrike's OverWatch hunters, a team of experts conducting analysis, hunted for RMM tooling combined with suspicious connections surfaced by the company's Falcon Identity Protection module to find more personas and additional indicators of compromise. CrowdStrike ultimately found that over 100 companies, most US-based technology entities, had hired Famous Chollima workers. The OverWatch team contacted victimized companies to inform them about potential insider threats and quickly corroborated its findings.
Thanks to Slashdot reader snydeq for sharing the news.
I wouldn't be surprised if it were deliberate... (Score:4, Insightful)
With all the push for offshoring to the cheapest people possible, I wouldn't be surprised if some companies knew they were moving work to the DPRK, via some offshore consultant company, where the company would give enough plausible deniability for the company, if it was ever found out. Those people that were claimed to be from Bangalore... would really be working out of Pyongyang. AFIAK, a consulting company in India could do this legally, as it doesn't run afoul of any Indian laws.
I wouldn't be surprised if entire development teams and such are in North Korea, with the main company playing wink, wink, nod, nod... as they are getting people cheap who are not going to gripe about conditions.
Re: (Score:2)
With all the push for offshoring to the cheapest people possible, I wouldn't be surprised if some companies knew they were moving work to the DPRK, via some offshore consultant company, where the company would give enough plausible deniability for the company, if it was ever found out. Those people that were claimed to be from Bangalore... would really be working out of Pyongyang. AFIAK, a consulting company in India could do this legally, as it doesn't run afoul of any Indian laws.
I wouldn't be surprised if entire development teams and such are in North Korea, with the main company playing wink, wink, nod, nod... as they are getting people cheap who are not going to gripe about conditions.
I guess that's the one advantage of physically importing them here ... you know they aren't North Koreans. (Though the ensuing chain migration has it's costs ... )
Re: (Score:2)
a consulting company in India could do this legally, as it doesn't run afoul of any Indian laws.
just stipulate in contract that violations of secrecy result in being fed to a woodchipper feet first.
Another reason for return to office (Score:2)
Have your programming team(s) show up and introduce themselves, get the lay of the land, lay out your strategy, etc.
No way that porcine dolt would let his people out of the country.
Re: (Score:2)
Just like in the old Soviet Union their family is kept as hostages.
Re: (Score:2)
True, but if the North Korean is posing as Sanjay from Rajamistan, they'll look a bit suspicious when they show up in the office. They might be able to pull off posing as a South Korean, but there are obvious clues which would give them away if the recruiter is paying attention.
Re: (Score:3)
Sanjay from Rajamistan might gladly accept a sizeable payment to act like a hire and simply forward everything to N. Korea.
Re: (Score:2)
This is a failure of corporate management (Score:2)
So while there
Massive bullshit (Score:2)
Re: Massive bullshit (Score:2)
No.
Please refer to the 38+ developed economies with mature worker protections via unionism as opposed to the outlier that ruthlessly exploits its workforce with hardly any checks and balances.
Isn't that old news? (Score:2)
Looks like ClownStroke needs to lay town some smoke.
I'm sorry, but (Score:2)
I don't think I will ever take any statement from Crowdstrike as anything more than fake news. These researches shouldn't have disclosed their affiliation with Crowdstrike if they wanted to be taken seriously.