North Korean hacker group Sapphire Sleet has stolen over $10 million in cryptocurrency through social engineering schemes conducted over six months. Microsoft Threat Intelligence researchers are revealing critical insights into North Korean and Chinese cyber activity at CYBERWARCON, highlighting years of analysis on threat actors, infrastructure, and vulnerabilities.
Hundreds of companies in the US, UK, and Australia have unwittingly hired fake IT staff from North Korea. These workers generated millions in revenue for the Pyongyang regime between 2020 and 2023.
Sapphire Sleet has been active since at least 2020 and has links to both BlueNoroff and APT38, two hacker collectives. In November 2023, a leading tech company uncovered that Sapphire Sleet had created fake infrastructure mimicking skills assessment portals. These were used in social engineering campaigns to exploit unsuspecting users.
North Korean threat actors have employed sophisticated techniques, including zero-day vulnerabilities, to steal billions of dollars’ worth of cryptocurrencies. They have also developed expertise in blockchain, AI, and cryptocurrency technologies, which they leverage to enhance their criminal activities.
Unmasking North Korean Hackers: From Fake Recruiters to Malware
For over a year, Sapphire Sleet has used a technique where they pose as venture capitalists feigning interest in a target’s firm to arrange online meetings. Victims receive error messages when attempting to attend these meetings, prompting them to contact support or the “room administrator”.
If the victim contacts them, the attackers send a Visual Basic Script (.vbs) or an AppleScript (.scpt), purportedly to “fix” the problem. However, these scripts install malware that compromises the victim’s Mac or Windows device, enabling the theft of credentials and cryptocurrency wallets.
According to Microsoft:
The threat actor sends the target user a sign-in account and password. In signing in to the website and downloading the code associated with the skills assessment, the target user downloads malware onto their device, allowing the attackers to gain access to the system.
Recent activity shows that many North Korean Hackers are also using LinkedIn to pose as recruiters and job seekers. These fake profiles aim to generate illegal cash for the severely banned country.
On GitHub, hundreds of fake North Korean IT worker profiles and portfolios have been identified. Last month, Microsoft discovered a publicly accessible database containing CVs, email addresses, VPS and VPN login credentials, playbooks, personal photos, wallet details, and tracking sheets.
According to Microsoft Threat Intelligence, North Korean IT professionals rely on facilitators to circumvent restrictions and carry out covert operations. They create accounts on multiple platforms, take payments, and transfer funds to accounts they control, making their activities harder to trace than those of typical nation-state threat actors.
These fraudulent IT professionals rely on facilitators for tasks like creating accounts on freelance job websites, renting or setting up bank accounts for transactions, and buying SIM cards or mobile phone numbers because they have limited access to necessary resources like bank accounts or phone numbers in North Korea.
Facilitators also help people create LinkedIn profiles to contact recruiters and acquire remote work, as well as register for extra accounts on multiple platforms.
These fraudulent IT professionals steal identities and use AI technologies to alter images for resumes and job applications submitted under fictitious names. They are also testing voice-changing technologies to improve their fraud.
Microsoft has also discovered Ruby Sleet is running phishing efforts targeting satellite and military firms. The campaigns try to install backdoors and steal sensitive information.
Microsoft unveiled Storm-2077, another Chinese threat actor, at CYBERWARCON. This state-sponsored agency targets organisations in the United States and across the world, including those in aviation, military, finance, legal services, and communications.
Storm-2077, also known as TAG-100, has been active since early 2024 and gets initial access through phishing and edge device vulnerabilities. To broaden their attacks, they gather private email information and login credentials.
North Korean hackers frequently use low-risk, high-reward techniques to take advantage of computer networks and IT workers. It’s crucial for HR managers, hiring teams, and program managers to recognise potential red flags when working with suspected North Korean IT workers.
Simple, non-technical measures such as requiring employees to regularly activate their cameras and verifying that the individual on video matches the one who received the organisation’s equipment can be effective deterrents.
Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.