The North Korean threat group UNC5267, active since 2018, consists of IT workers deployed globally to infiltrate Western companies, which primarily based in China and Russia, target lucrative tech jobs to gain access to sensitive information and infrastructure.
UNC5267 leverages stolen identities to gain remote access to various organizations by engaging in diverse work activities to generate illicit income, maintain persistent access for future exploitation, and potentially conduct espionage or disruptive activities.
DPRK IT workers, often employed remotely, have been observed gaining elevated access to critical systems, whose heightened privilege, combined with the use of fake online profiles to secure remote positions, poses a significant security risk.
The analysis of the Netlify page and linked Google Docs resume revealed inconsistencies in personal information, educational background, and work history, as resumes contained a similar phrase, suggesting a potential connection between the two identities.
UNC5267 uses fraudulent resumes with US addresses and foreign education credentials to gain employment, which often contradict public records and may hinder verification efforts.
It leverages remote administration tools to access victim laptops hosted in laptop farms, including GoToRemote, LogMeIn, Chrome Remote Desktop, AnyDesk, TeamViewer, and RustDesk, allowing attackers to remotely control and access sensitive data on the compromised devices.
DPRK IT workers are using Astrill VPN connections and stolen identities to access remote management solutions, often shipping laptops to locations different from their claimed addresses and exhibiting reluctance to video calls and low-quality work, as confirmed by internal investigations and Mandiant’s findings.
Implementing biometric data comparison, rigorous interview procedures including video verification and consistency checks, and addressing IT worker concerns regarding video usage can significantly mitigate the risk of forgery in the background verification process.
Organizations should train HR departments to identify inconsistencies in IT worker profiles and learn common tactics used by threat actors. To combat AI-generated profile pictures, organizations should monitor for their use and consider requiring notarized proof of identity before employment.
To identify potential UNC5267 activity, monitor for VoIP phone numbers, discrepancies in geolocation data, unauthorized remote administration tools, VPN usage, mouse jiggling software, and IP-based KVM devices. Verify laptop serial numbers and enforce physical access through hardware-based multi-factor authentication.
The strategies involve implementing mandatory video checks for remote employees, providing ongoing security education and training, collaborating with security communities, restricting financial transactions to U.S. banks, and utilizing updated rules and IOCs in Google SecOps Enterprise+.
North Korea’s IT workforce poses a significant cyber threat due to their technical skills, sophisticated evasion tactics, and dual motivations, as their continued attacks, driven by state objectives and personal gains, pose a growing risk to businesses globally, leading to data breaches, financial losses, and disruptions.
To mitigate North Korea’s cyber threat, organizations must adopt a proactive cybersecurity posture, including robust security measures, employee awareness, threat detection tools, and incident response plans.