North Korean Hackers Are Targeting Software Developers and Impersonating IT Workers

Cyber Security Threat Summary:
North Korean hackers have notably increased their emphasis on the IT industry, by infiltrating companies involved in software development and organizations seeking IT professionals. On Wednesday, Microsoft disclosed that North Korean affiliated hacking groups Lazarus (Diamond Sleet) and Andariel (Onyx Sleet) have been exploiting a critical authentication bypass vulnerability (CVE-2023-42793) within JetBrains TeamCity server.

“Diamond Sleet was observed using two attack paths: the first consisted in the deployment of ForestTiger backdoor while the second deployed payloads for DLL search-order hijacking attacks. Onyx Sleet used a different attack path: After successfully exploiting the TeamCity vulnerability, the threat actor creates a user account (named krtbgt), runs system discovery commands and finally deploys a proxy tool named HazyLoad to establish persistent connection. “In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments,” Microsoft noted. North Korean state-sponsored hackers have been linked to a social engineering campaign targeting software developers through GitHub. By pretending to be a developer or a recruiter, the attacker managed to convince the victim to collaborate on a GitHub repository and ultimately download and execute malware on its device. Judging by their leveraging of vulnerabilities in DevOps solutions such as TeamCity, it looks like their objectives and goals have remained constant” (HelpNetSecurity, 2023).

North Korean IT professionals are exploiting the scarcity of skilled workers by reaching out to recruiters from firms offering software development and other IT positions. By hiring these individuals, companies risk having their proprietary information or funds stolen and their operations disrupted from within. On Tuesday, the FBI seized 17 website domains that North Korean IT workers had set up to appear as if they were affiliated with legitimate U.S.-based IT service companies. U.S. authorities also confiscated around $1.5 million in earnings made by these IT workers.

Security Officer Comments:
According to court documents, the Government of North Korea dispatched numerous highly skilled IT workers to live abroad, primarily in China and Russia. Their purpose was to deceive businesses worldwide, including those in the United States, into hiring them as freelance IT professionals, all with the objective of generating revenue for North Korea's weapons of mass destruction (WMD) programs, determined by the US Justice Department. This scheme involved the use of anonymous email accounts, social media profiles, payment platforms, and online job site accounts. It also featured the creation of deceptive websites, proxy servers in the United States and other locations, and the involvement of individuals, both knowingly and unknowingly. Through these tactics, the IT workers managed to generate millions of dollars annually on behalf of specific entities, such as the North Korean Ministry of Defense, directly connected to North Korea's UN-prohibited WMD programs. In some cases, these IT workers infiltrated their employers' computer networks to steal information and maintain access for future hacking and extortion activities.

Suggested Correction(s):
Last year, the U.S. Department of State, the U.S. Department of the Treasury, and the Federal Bureau of Investigation issued a warning and guidelines to assist companies seeking IT freelancers in avoiding the inadvertent hiring of North Korean workers. This guidance was updated on Wednesday to include additional "red flags" that may help identify North Korean IT workers, as well as additional due diligence measures that companies should adopt to prevent such hiring.

To reduce the risk of unintentionally hiring North Korean IT workers, companies are advised to:

  • Request background check documentation from third-party staffing firms or outsourcing companies.
  • Verify the authenticity of provided background check documents.
  • Ensure that the financial information matches a legitimate bank.
  • Maintain thorough records of all interactions.
  • Implement strict security protocols.
  • Consider geo-locating company laptops to confirm employee addresses.
Additionally, it is recommended to use reputable online freelance platforms with robust identity verification processes and to avoid direct recruitment through online IT competitions. These measures are crucial to maintaining the security and integrity of the hiring process.