Threat Research

How LevelBlue OTX and Cybereason XDR Detected a North Korea-Linked Remote IT Worker

LevelBlue-spiderlabs

SpiderLabs, using LevelBlue OTX threat intelligence integrated with Cybereason XDR behavioral analytics, detected and blocked a suspected North Korea-linked operative who was hired through a help wanted ad after anomalous EntraID logins triggered alerts. The account was terminated within ten days following authentication anomalies from IPs 142[.]214.202.2 and 155[.]94.199.59 and an investigation found no residual access. #AstrillVPN #LazarusGroup

Keypoints

  • The organization hired a remote worker who passed standard onboarding but was later identified as a suspected North Korea-linked operative.
  • Cybereason XDR established a behavioral baseline of logins from China and then flagged a geographic/login anomaly from the US and an unmanaged device.
  • Threat intelligence from LevelBlue OTX matched the anomalous login to Astrill VPN infrastructure associated with North Korean actors.
  • Key IPs tied to the suspicious activity included 142[.]214.202.2 and 155[.]94.199.59, triggering high-severity alerts and Intel matches.
  • The user’s EntraID account was revoked on August 25, 2025, limiting the intrusion to a 10-day window with no evidence of persistence or backdoors.
  • Integration of crowdsourced threat intelligence with behavioral analytics enabled rapid detection and response, preventing data exfiltration and further compromise.

MITRE Techniques

  • [T1078 ] Valid Accounts – Actor gained access via legitimate onboarding credentials, enabling initial access through a hired account (‘Legitimate credentials via hiring process’)
  • [T1133 ] External Remote Services – Authentication to cloud resources used EntraID as the access vector (‘Entra ID authentication for cloud resources’)
  • [T1090.003 ] Multi-hop Proxy – Actor used Astrill VPN to mask true origin and appear as domestic login traffic (‘Astrill VPN to mask origin’)

Indicators of Compromise

  • [IP Address ] Suspicious authentication events – 142[.]214.202.2 (St. Louis, ASN 7393 CYBERCON), 155[.]94.199.59 (Los Angeles, ASN 36352 HostPapa)
  • [VPN/Service ] Infrastructure linked to DPRK operations – Astrill VPN (used to tunnel traffic and mask actor origin)
  • [Autonomous System Number ] Network ownership context for suspicious IPs – ASN 7393 (CYBERCON), ASN 36352 (HostPapa)
  • [Identity/Account ] Onboarded account involved in detection – EntraID account activated for the new hire (account revoked after detection)

Read more: https://www.levelblue.com/blogs/spiderlabs-blog/how-levelblue-otx-and-cybereason-xdr-detected-a-north-korea-linked-remote-it-worker

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint