North Korea's Six-Year Cyber Scheme Nets $88M
A recent investigation has shed light on a sophisticated cyber operation orchestrated by North Korea. The scheme, involving the use of stolen identities to secure remote IT jobs at US-based companies, has been active for over six years and has generated at least $88 million USD for the DPRK.
The probe discovered two infected machines in Lahore, Pakistan, containing credentials linked to the operation. One machine held a saved credential for a registrant email account connected to fake domains, leading to additional compromised accounts. The other machine contained a credential 'jsilver617', potentially tied to the 'J.S.' identity mentioned in a US indictment from December 12, 2024. This indictment charged fourteen North Korean nationals for their role in the scheme.
Browser history on one of the infected hosts revealed Google Translate URLs, indicating translations between English and Korean. This provided insights into the tactics, techniques, and procedures (TTPs) of the North Korean actors behind the remote work scheme. The investigation also uncovered the use of front companies to provide references for fraudulent applicants and evidence of recruitment, direction, and operations of the scheme. Fortune 500 companies, technology, and cryptocurrency industries have reported incidents of funds, intellectual property, and information being siphoned by these secret agents since the scheme's discovery.
The investigation underscores the critical need for threat intelligence to protect against such sophisticated threat actor activity. It has provided valuable insights into the tactics and procedures used by North Korean threat actors in this scheme, and has helped to quantify the financial impact of their operations. The discovery of infected machines in Lahore, Pakistan, also highlights the global reach of these cyber operations.
