North Korean hackers are targeting software developers and impersonating IT workers

State-sponsored North Korean hackers have significantly intensified their focus on the IT sector in recent years, by infiltrating firms developing software and companies lookind for IT workers.

North Korean hackers targeting developers

Microsoft has outlined on Wednesday how North Korea-backed hacking groups Lazarus (Diamond Sleet) and Andariel (Onyx Sleet) have been exploiting a critical authentication bypass vulnerability (CVE-2023-42793) in JetBrains TeamCity server to breach target systems and establish persistent access to compromised hosts, to use them as a beachhead for more widespread compromise of companies’ systems and networks.

Diamond Sleet was observed using two attack paths: the first consisted in the deployment of ForestTiger backdoor while the second deployed payloads for DLL search-order hijacking attacks.

Onyx Sleet used a different attack path: After successfully exploiting the TeamCity vulnerability, the threat actor creates a user account (named krtbgt), runs system discovery commands and finally deploys a proxy tool named HazyLoad to establish persistent connection.

“In past operations, Diamond Sleet and other North Korean threat actors have successfully carried out software supply chain attacks by infiltrating build environments,” Microsoft noted.

North Korean state-sponsored hackers have been linked to a social engineering campaign targeting software developers through GitHub. By pretending to be a developer or a recruiter, the attacker managed to convince the victim to collaborate on a GitHub repository and ultimately download and execute malware on its device.

Judging by their leveraging of vulnerabilities in DevOps solutions such as TeamCity, it looks like their objectives and goals have remained constant.

North Korean IT workers: Potential malicious insiders

North Korean IT workers are also taking advantage of the shortage of skilled employees and have been contacting recruiters from companies offering software development and other IT jobs. By hiring these individuals, companies may end up with their trade secrets or funds stolen and their venture sabotaged from the inside.

On Tuesday, the FBI seized 17 website domains used by North Korean IT workers and made to look like they belong to legitimate, US-based IT services companies. The US authorities also seized approximately $1.5 million of revenue earned by those IT workers.

“As alleged in court documents, the Government of the Democratic People’s Republic of Korea (North Korea or DPRK) dispatched thousands of skilled IT workers to live abroad, primarily in China and Russia, with the aim of deceiving U.S. and other businesses worldwide into hiring them as freelance IT workers, in order to generate revenue for its weapons of mass destruction (WMD) programs,” says the US Justice Department.

“Through this scheme, which involves the use of pseudonymous email, social media, payment platform and online job site accounts, as well as false websites, proxy computers located in the United States and elsewhere, and witting and unwitting third parties, the IT workers generated millions of dollars a year on behalf of designated entities, such as the North Korean Ministry of Defense and others, directly involved in the DPRK’s UN-prohibited WMD programs. In some instances, the IT workers also infiltrated the computer networks of unwitting employers to steal information and maintain access for future hacking and extortion schemes.”

Guidance for the IT sector

The US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation issued a warning and advice last year to help companies that are looking for IT freelancers avoid hiring workers from North Korea.

That guidance has been updated on Wednesday to include additional “red flags” possibly identifying North Korean IT workers, as well additional due diligence measures companies should take to avoid hiring them.

To mitigate the risk of inadvertently hiring North Korean IT workers, companies are advised to request documentation of background checks from third-party staffing firms or outsourcing companies, verify the legitimacy of provided background check documentation, and ensure that financial information provided matches a legitimate bank. It’s also crucial to maintain detailed records of all interactions, implement strict security protocols, and consider geo-locating company laptops to ensure compliance with employee addresses.

Using reputable online freelance platforms with robust identity verification measures and avoiding direct recruitment through online IT competitions are also recommended to maintain the security and integrity of hiring processes.