The Democratic People’s Republic of Korea (DPRK) IT workers have expanded their operations internationally, particularly in Europe, targeting sectors such as defense and government. These workers utilize sophisticated tactics, including deception and extortion, to infiltrate companies. Their activities pose significant risks, including data theft and espionage, emphasizing the need for increased vigilance by affected organizations. Affected: organizations hiring DPRK IT workers, defense sector, government sector
Keypoints :
- DPRK IT workers posing as legitimate remote employees are becoming a global threat, particularly in Europe.
- Increased operations have been identified in countries like Germany and Portugal, in addition to the US.
- Workers utilize multiple fabricated personas to gain employment, particularly within defense and government sectors.
- Payment for services is often made through cryptocurrency, obscuring the origin of funds.
- DPRK IT workers are engaging in more aggressive extortion tactics against larger organizations, threatening to leak sensitive data.
- BYOD policies within companies create vulnerabilities that DPRK IT workers exploit for malicious activities.
MITRE Techniques :
- Social Engineering (T1203): Utilized deceptive tactics, including the creation of fake references and personas to gain employment.
- Credential Dumping (T1003): Acquired login credentials for user accounts on European job websites and human capital management platforms.
- Data Encrypted for Impact (T1486): Threatened to release proprietary data and source code obtained during employment.
- Use of External Remote Services (T1133): Targeted BYOD environments to conduct operations without traditional corporate security measures.
Indicator of Compromise :
- [Domain] belgradeuniversity[. ]edu
- [Domain] transferwise[. ]com
- [Domain] payoneer[. ]com
- [Domain] upwork[. ]com
- [Domain] telegram[. ]org
Full Story: https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale/