Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Crime Security

North Korean Group Infiltrated 100-Plus Firms with Imposter IT Pros (csoonline.com) 16

"CrowdStrike has continued doing what gave it such an expansive footprint in the first place," writes CSO Online — "detecting cyber threats and protecting its clients from them."

They interviewed Adam Meyers, CrowdStrike's SVP of counter adversary operations, whose team produced their 2024 Threat Hunting Report (released this week at the Black Hat conference). Of seven case studies presented in the report, the most daring is that of a group CrowdStrike calls Famous Chollima, an alleged DPRK-nexus group. Starting with a single incident in April 2024, CrowdStrike discovered that a group of North Koreans, posing as American workers, had been hired for multiple remote IT worker jobs in early 2023 at more than thirty US-based companies, including aerospace, defense, retail, and technology organizations.

CrowdStrike's threat hunters discovered that after obtaining employee-level access to victim networks, the phony workers performed at minimal enough levels to keep their jobs while attempting to exfiltrate data using Git, SharePoint, and OneDrive and installing remote monitoring and management (RMM) tools RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The workers leveraged these RMM tools with company network credentials, enabling numerous IP addresses to connect to victims' systems.

CrowdStrike's OverWatch hunters, a team of experts conducting analysis, hunted for RMM tooling combined with suspicious connections surfaced by the company's Falcon Identity Protection module to find more personas and additional indicators of compromise. CrowdStrike ultimately found that over 100 companies, most US-based technology entities, had hired Famous Chollima workers. The OverWatch team contacted victimized companies to inform them about potential insider threats and quickly corroborated its findings.

Thanks to Slashdot reader snydeq for sharing the news.
This discussion has been archived. No new comments can be posted.

North Korean Group Infiltrated 100-Plus Firms with Imposter IT Pros

Comments Filter:
  • by ctilsie242 ( 4841247 ) on Saturday August 10, 2024 @01:53PM (#64695022)

    With all the push for offshoring to the cheapest people possible, I wouldn't be surprised if some companies knew they were moving work to the DPRK, via some offshore consultant company, where the company would give enough plausible deniability for the company, if it was ever found out. Those people that were claimed to be from Bangalore... would really be working out of Pyongyang. AFIAK, a consulting company in India could do this legally, as it doesn't run afoul of any Indian laws.

    I wouldn't be surprised if entire development teams and such are in North Korea, with the main company playing wink, wink, nod, nod... as they are getting people cheap who are not going to gripe about conditions.

    • With all the push for offshoring to the cheapest people possible, I wouldn't be surprised if some companies knew they were moving work to the DPRK, via some offshore consultant company, where the company would give enough plausible deniability for the company, if it was ever found out. Those people that were claimed to be from Bangalore... would really be working out of Pyongyang. AFIAK, a consulting company in India could do this legally, as it doesn't run afoul of any Indian laws.

      I wouldn't be surprised if entire development teams and such are in North Korea, with the main company playing wink, wink, nod, nod... as they are getting people cheap who are not going to gripe about conditions.

      I guess that's the one advantage of physically importing them here ... you know they aren't North Koreans. (Though the ensuing chain migration has it's costs ... )

    • a consulting company in India could do this legally, as it doesn't run afoul of any Indian laws.

      just stipulate in contract that violations of secrecy result in being fed to a woodchipper feet first.

  • Have your programming team(s) show up and introduce themselves, get the lay of the land, lay out your strategy, etc.

    No way that porcine dolt would let his people out of the country.

    • by Teun ( 17872 )
      The dolt has ways to let people out of his prison and still control them.
      Just like in the old Soviet Union their family is kept as hostages.
      • True, but if the North Korean is posing as Sanjay from Rajamistan, they'll look a bit suspicious when they show up in the office. They might be able to pull off posing as a South Korean, but there are obvious clues which would give them away if the recruiter is paying attention.

        • by gtall ( 79522 )

          Sanjay from Rajamistan might gladly accept a sizeable payment to act like a hire and simply forward everything to N. Korea.

          • Boy you nailed it. Despot foreign governments have very long reaches, and can casually hire a  multi-national harum of spys. And lots of folks hate-on USA (re)publican ideals.  It's a scandal that Wall Street has demanded export of so many high-skill jobs ... both IP and mechanical-tek positions. Individual purchasers do have a choice to determine nation-of-origin for whatever they buy.
  • In their push to make next quarter's numbers (in order to please VCs, investors, shareholders, analysts, etc.) the companies decided to outsource and offshore their employees -- because of course this reduces labor costs. The skimped on everything -- including the interviewing process, which is how these fake workers got it. The skimped on internal security -- because that's how they exploited their positions. They skimped on evaluation -- which is how they kept their jobs. And so on.

    So while there
  • There is no way in hell the companies didn't know what was going on. They wanted and got cheap labor. Cheaper even than what they can get from Indians. And now that they got caught they're all pretending they're the victims.
  • Looks like ClownStroke needs to lay town some smoke.

  • I don't think I will ever take any statement from Crowdstrike as anything more than fake news. These researches shouldn't have disclosed their affiliation with Crowdstrike if they wanted to be taken seriously.

Remember the good old days, when CPU was singular?

Working...