North Korea is taking advantage of one of the major trends in recent years in the workplace: the introduction of teleworking. Kim Jong-un’s regime has placed thousands of compatriots as workers in companies around the world, according to a report by the Ministry of Foreign Affairs. US Justice Department warns. They are also qualified employees, especially developers of softwareHow do they manage to get hired by American companies without setting off alarm bells? “North Koreans use stolen or borrowed identities of American citizens to pose as national workers, infiltrate the systems of American companies and collect revenue for North Korea,” the agency said.
A research presented this week by the cybersecurity company CrowdStrike, world famous for having caused a global fall of the systems of those of its clients who also used Windows a month and a half ago, has revealed that a single group of hackers North Koreans managed to enter more than a hundred American companies, most of them in the technology sector or in the fintech and many of them included in the ranking Fortune 500. After being hired as remote developers, the hackers installed software maliciously hacking into company systems, either to obtain sensitive information or to obtain financial gain.
Ironically, it was the Falcon antivirus, whose update crashed into Windows in mid-July and caused millions of screens to fade to blue, that detected the intrusion. “It all started in April of this year, when a client contacted CrowdStrike after being alerted by the authorities about a malicious infiltration. Our threat research team not only determined who was responsible, but also discovered dozens of other affected organizations,” Adam Meyers, head of intelligence and operations against cybercriminals at CrowdStrike and an expert in so-called APTs (advanced persistent threats), the term used to refer to the best-prepared organized groups of cybercriminals, explained to EL PAÍS. “This campaign, aimed primarily at the technology sector, but also at the aerospace and defense sectors, is a clear reminder of the growing threat posed by infiltrators.”
Meyers’ team has identified the group or APT that managed to carry out this infiltration: it is called Famous Chollima and is a branch of Lazarus, the code word by which the hackers operating from North Korea. They have the resources, a hierarchical structure and are highly organised, which allows them to carry out complex, coordinated and fast attacks. Their professionals are divided into departments and perform specialised roles. They are sponsored by the government of the Asian country, although the authorities officially deny any link with them, as do the USA, Russia, China or Israel with the APTs with which they are associated.
“Famous Chollima exploited hiring and onboarding processes to gain physical access via remote systems, which were located in intermediary locations. Infiltrators remotely accessed these systems to log into corporate VPNs, posing as developers,” CrowdStrike’s report reads. “This disguise allowed Famous Chollima to gain deep and long-lasting access to dozens of organizations, which for a long time was nearly impossible to detect.”
For confidentiality reasons, CrowdStrike cannot provide further details about the companies breached or any losses they may have incurred as a result of the intrusion. “The Department of Justice estimates that these actions may have netted the attackers about $6.8 million over two years, but I think we are just scratching the surface of how extensive this campaign was,” Meyers said.
What kind of information were the North Korean cybercriminals after, exactly? “Data that could provide value to the Democratic People’s Republic of Korea, such as sensitive business intelligence and proprietary information from numerous technology companies,” the Texan adds. Meyes’ lab believes that Famous Chollima provides support to North Korea’s Munitions Industry Department, which funds and oversees North Korea’s missile and weapons programs. The data thefts are likely related to this.
The Department of Justice is aware of at least 300 companies, including the hundreds of technology companies detected by CrowdStrike, affected in recent months by this type of infiltration. The FBI published an announcement in May in which it alerts public and private companies to this trend, offers advice on how to protect businesses from these intrusions and calls for reporting known cases.
Stealing for the greater glory of the regime
The difficulty in tracing the authorship of cyberattacks, which can be concealed by using server chains in other countries, makes it particularly fertile ground for intelligence operations. Countries know this and, although none of them admit it, it is suspected that those who can do so finance and provide resources to groups of hackers elite, the APT, to carry out actions that cannot be attributed to any government, thus avoiding diplomatic incidents.
The type of missions entrusted to these groups, which are presumed to have a capacity second only to the secret services of the major powers, are usually related to obtaining confidential information: industrial espionage, sabotage of uranium enrichment plans, obtaining military documents, etc.
North Korea’s approach is different. Its security teams hackers are primarily focused on raising funds for a regime that is strangled by international sanctions. One of their mannas in recent years has been cryptocurrencies. Microsoft warned on Friday that Citrine Sleet, a group of hackers North Korean, had exploited a zero-day vulnerability (a flaw in some program unknown to the developers themselves) in Chromium, Google’s open source browser, to break into various organizations and steal cryptocurrencyalthough the amount stolen is still unknown. The largest digital theft on record was the work of a group under the umbrella of Lazarus: they made off with around 600 million euros in cryptocurrencies in 2022, to which some specialists add another 400 million stolen the previous year. A report by the United Nations Security Council estimates that the North Koreans About $3 billion worth of cryptocurrency has been stolen since 2017. The same panel estimates that the funds provided by the groups hackers they suppose Half of the foreign currency that reaches North Korea.
According to journalist Anna Fifield in her book The great successor (Capitán Swing, 2021), it was Kim Jong-un, grandson of the founder of the dynasty of dictators, who decided in 2009, when he inherited the reins of the country, that the regime could take full advantage of
cyberspace. Within the country, access to the Internet is testimonial; outside the country’s borders, however, the digital arena is interpreted as a powerful instrument for spying, sabotage and stealing with hardly any consequences. “Students who show potential aptitude [para la informática]some as young as 11, are sent to special schools and then to the Pyongyang Automation University,” where “over the course of five years they are taught to hack systems already creating computer viruses,” Fifield writes.
The strategy has paid off. The US and UK, as well as Microsoft, credit this organisation with the launch of WannaCry 2.0 in 2017, the largest ransomware from the story: This computer virus hijacked some 300,000 computers in 150 countries, including those in the UK health system, and demanded a ransom in exchange for their release.
Within Lazarus, the different divisions pursue different goals. Meyers’ team identifies five distinct factions within that umbrella, which even share a code repository that they use to prepare their attacks. Two of them, Stardust Chollima and Labyrinth Chollima, are exclusively dedicated to monetization. “We believe that Stardust Cholima belongs to Office 121, one of the departments of the General Reconnaissance Bureau,” the name by which one of the North Korean spy agencies is known. “They are very focused on financial systems, cryptocurrencies, and new technologies.” Famous Chollima, the person responsible for the employee leak, works for the North Korean weapons system.
Another common practice among the hackers One of the most common hacks of North Korean hackers is to try to hack into the computers of their foreign colleagues to learn the latest in cybersecurity. Although that, at least once, cost them dearly. In 2022, a year after trying to infect the computer of Alejandro Cáceres, better known by his hacker aliases P4x or _hyp3ri0n, this American took down the internet in retaliation for a week throughout the Asian country. “I know what I did is illegal, but I didn’t imagine North Korea taking me to court,” he told EL PAÍS.
You can follow THE COUNTRY Technology in Facebook and X or sign up here to receive our weekly newsletter.
#North #Korean #hackers #infiltrate #hundreds #tech #companies #finance #Kim #Jongun
