- North Korean hackers have been impersonating job applicants
- These applicants gain employment in western firms
- New research suggests these campaigns have been going on since 2016
North Korean hackers have been making the headlines recently by fraudulently gaining employment in western firms. Research from Sophos’s Counter Threat Unit (CTU) has been tracking this as the Nickel Tapestry campaign, identifying infrastructure links that suggest money-making schemes have been operating since 2016.
The research shows that the campaign is increasingly targeting European and Japanese organizations – probably thanks to increased awareness amongst American companies. These fraudulent job applicants have been observed impersonating Japanese, Vietnamese, and Singaporean professionals, as well as American personas.
Previous research has shown that North Korean hackers are posing as software development recruiters to target freelancers, spreading malware through the recruitment scams and stealing cryptocurrency from victims.
Dual objectives
The salaries earned by the hackers seem to help fund the government interests of the Democratic People’s Republic of Korea – and record breaking crypto scams have also successfully earned the Lazarus hacking group $1.5 billion. Around $300 million of this was successfully converted by the group into unrecoverable funds from this one incident alone, so these campaigns are lucrative for the state.
That’s not all though, as the fraudulent workers have also been observed stealing credentials and exfiltrating data, as well as deliberately gaining employment in industries with sensitive data, like defense, aerospace, and cybersecurity.
These roles allow the workers to use remote access software and AI generated writing, CV building, image editing, and video enhancing tools to impersonate legitimate workers and circumvent default systems.
Organizations are urged to remain vigilant and to check candidate identities thoroughly, and review their CVs and addresses thoroughly, even suggesting in-person interviews where possible.
As remote positions become increasingly popular, companies should “monitor for traditional insider threat activity, suspicious usage of legitimate tools, and impossible travel alerts to detect activity often associated with fraudulent workers” Sophos confirms.
Leave a comment