North Korean attackers successfully posed as applicants and placed over 100 of their undercover team members primarily in U.S. corporations within the aerospace, defense, retail and technology industries.
CrowdStrikes Threat Hunting Report 2024 reveals how North Korea Nexus opponents FAMOUS CHOLLIMA uses fake and stolen identification documents to enable malicious state attackers to achieve employment as distant IT staff, exfiltrate data, and conduct espionage undetected.
Connected to the North Korean elite General Intelligence Bureau (RGB) and Bureau 75, two of North Korea’s most advanced cyberwarfare organizations, FAMOUS CHOLLIMA's specialty is the proliferation of insider threats on a big scale, illegally accepting freelance or full-time equivalent (FTE) work to earn a salary that’s funneled to North Korea to fund its weapons programs, while concurrently conducting ongoing espionage.
“The most alarming aspect of the FAMOUS CHOLLIMA campaign is the sheer scale of this insider threat. CrowdStrike has notified over 100 victims, mostly U.S. corporations who unknowingly hired North Korean agents,” Adam Meyers, head of counterattack operations at CrowdStrike, told VentureBeat.
“These individuals infiltrate organizations, particularly within the technology sector, to not make a contribution but to funnel stolen funds directly into the regime's weapons program,” Meyers said.
North Korea took the chance to take advantage of trust
“This increase in North Korean telecommuting activity shows how adversaries are exploiting trust in our telecommuting environment,” Meyers noted in a recent interview with VentureBeat.
Knowing that corporations were letting their IT teams make money working from home by default and that public opinion within the US, Europe, Australia and the Asian continent was in favour of distant work, North Korea saw a possibility to take advantage of the shortage of scrutiny and security to its advantage.
Systematically attacking greater than 100 corporations to infiltrate them with malicious insiders after which choosing members of an elite team of attackers as a part of the FAMOUS CHOLLIMA team to perform an insider attack is unprecedented. It ushers in a brand new era of cyber warfare and have to be a wake-up call for any company hiring remotely today.
“After COVID, distant onboarding became the norm, and so we've seen stolen identities used to pass security checks and get jobs, after which used to exfiltrate data or steal funds. Fifty percent of the cases observed by CrowdStrike were used for data exfiltration. The processes created to facilitate distant work are being weaponized against us,” he said.
Anatomy of North Korea’s insider attack
“Many still underestimate North Korea's cyber capabilities, dismissing it as a 'hermit kingdom.' But they’ve been investing in cyber talent for the reason that late Nineteen Nineties, with a strategic emphasis on STEM education from a young age. This latest, sophisticated campaign shows that they usually are not only a threat, but a complicated adversary that we must take seriously. We are only scratching the surface of their operations,” Meyers said.
As of 2023, FAMOUS CHOLLIMA initially targeted 30 U.S. corporations within the aerospace, defense, retail, and technology sectors, posing as U.S. residents applying for distant IT positions. Once hired, the attackers performed minimal tasks related to their position and attempted to exfiltrate data using Git, SharePoint, and OneDrive.
Malicious insiders also quickly installed Remote Monitoring and Management (RMM) tools corresponding to RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop to take care of their persistence on the compromised network. After installing these tools, they were in a position to use multiple IP addresses to hook up with the victim's system, appearing legitimate and mixing in with normal network activity. The malicious insiders were then in a position to execute commands, gain a foothold, and move laterally inside a network without immediately raising alarms.
CrowdStrike's report found that organizations are seeing a 70% increase in attackers' use of RMM tools year-over-year. RMM tool exploitation accounts for 27% of all manual endpoint attacks. Nowhere was this more evident than in North Korea's massive insider attack on greater than 100 leading technology corporations.
In April 2024, CrowdStrike Services responded to the primary of several incidents through which malicious insiders from FAMOUS CHOLLIMA targeted greater than 30 U.S.-based corporations. North Korean agents pretended to be based within the U.S. and were hired for several distant IT positions in early 2023.
Earlier this 12 months, several investigations into North Korean labor models and fraud were underway. By collaborating with broader ongoing investigations, CrowdStrike was in a position to discover FAMOUS CHOLLIMA insiders who had applied to or were actively working at greater than 100 different corporations, most of which were U.S.-based technology corporations. The repeated detection of comparable tactics, techniques, and procedures (TTP) across multiple incidents allowed CrowdStrike to discover a coordinated campaign.
The FBI and the Department of Justice responded quickly, but massive insider threats proceed
On May 16 of this 12 months, the Federal Bureau of Investigation (FBI) published a alarm It warns American corporations that “North Korea is evading U.S. and UN sanctions by targeting private corporations to illegally generate significant revenue for the regime.” The Department of Justice (DoJ) has taken swift motion against laptop farms that FAMOUS CHOLLIMA recently created by incentivizing two Americans.
The first indictment delivered on 16 May found that an Arizona woman had given North Korea access to 300 IT corporations. second indictment was served on a person in Nashville, Tennessee, on August 8 for operating a laptop farm that allowed members of FAMOUS CHOLLIMA to work undetected for months at a time, earning salaries that went on to North Korea's weapons program. The indictment warns of the worldwide scope of the group's activities, which span seventeen countries and eleven industries.
“Last week, the Department of Justice arrested a Tennessee man accused of running a laptop farm system that helped North Korean IT staff get distant jobs at Fortune 500 corporations. This is consistent with activities that CrowdStrike tracked as FAMOUS CHOLLIMA,” Meyers told VentureBeat.