Threat Research

Staying Ahead: Reducing the Threat of DPRK IT Workers

GoogleCloudIntel

North Korea’s IT workers, identified as UNC5267, operate as non-North Korean nationals to gain remote employment with Western companies and funnel revenue to DPRK weapons programs. The report details their evasion tactics, remote-access tools used for persistence, and recommended detection and mitigation measures for organizations. #UNC5267 #DPRKITWorkers #AstrillVPN #AnyDesk #TeamViewer

Keypoints

  • Mandiant has tracked DPRK IT workers since 2022, who pose as non-North Korean nationals.
  • These workers aim to evade sanctions and fund North Korea’s weapons programs.
  • They leverage privileged access obtained through employment for malicious cyber intrusions.
  • UNC5267 is the identified group of these IT workers, primarily based in China and Russia.
  • They often apply for remote positions and may hold multiple jobs simultaneously.
  • Fraudulent resumes and identities are commonly used to secure employment.
  • Remote administration tools are frequently installed on victim laptops for ongoing access.
  • Detection strategies include rigorous background checks and monitoring for unusual remote access activities.
  • Collaboration and information sharing among organizations are crucial for combating this threat.

MITRE Techniques

  • [T1036] Masquerading – Impersonation using stolen identities to apply for jobs. “Using stolen identities to apply for jobs.”
  • [T1219] Remote Access Tools – Utilizing remote management tools like AnyDesk, TeamViewer, and Chrome Remote Desktop. “Utilizing remote management tools like AnyDesk, TeamViewer, and Chrome Remote Desktop.”
  • [T1078] Valid Accounts – Gaining access via compromised credentials. “Gaining elevated access through compromised credentials.”
  • [T1486] Data Encrypted for Impact – Potential use of access for espionage or disruptive activity. “Potential use of access for espionage or disruptive activity.”

Indicators of Compromise

  • [URL] – hxxps://daniel-ayala[.]netlify[.]app — a Netlify-hosted resume page used in worker profiling.
  • [IP Address] 103.244.174.154 — associated with Cybernet (PK) in the network IOC table.
  • [IP Address] 104.206.40.138 — associated with Eonix Corporation and AstrillVPN (US) in the network IOC table.

Read more: https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it-worker-threat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint