We’re accustomed to social engineering being used for credential theft and business email compromise. We’re also accustomed to hearing about the increase in remote work during the pandemic, and how that has expanded organizations’ attack surface.
But another round of deception, of social engineering, is now afflicting the hiring process itself. North Korean threat actors are poaching LinkedIn and Indeed profiles to secure jobs working remotely at cryptocurrency companies.
North Korea has long used cybercrime as a tool of state policy, seeking to redress, through theft, the effects of worldwide sanctions on its economy. Remote work for cryptocurrency companies is attractive for a variety of reasons. Citing research by Mandiant that follows up and confirms a warning the US Government issued in May, Bloomberg reports:
“According to the Mandiant researchers, by collecting information from crypto companies, North Koreans can gather intelligence about upcoming cryptocurrency trends. Such data – about topics like Ethereum virtual currency, nonfungible tokens and potential security lapses – could give the North Korean government an edge in how to launder cryptocurrency in a way that helps Pyongyang avoid sanctions, said Joe Dobson, a principal analyst at Mandiant.
“‘It comes down to insider threats,’ he said. ‘If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.’”
Some of the attempts have been successful.
“Mandiant researchers said they had identified multiple suspected North Korean personas on employment sites that have successfully been hired as freelance employees. They declined to name the employers.
“‘These are North Koreans trying to get hired and get to a place where they can funnel money back to the regime,’ said Michael Barnhart, a principal analyst at Mandiant.”
This is worker-side deception, in which North Korean operators pose as coders looking for remote work they can use for either direct theft or espionage. There’s a corresponding North Korean employer-side deception in which the Lazarus Group and related DPRK threat groups put up websites that impersonate well-known companies, and on which they post bogus job offers. Bloomberg cites research by Google that identified a North Korean-produced site that impersonated the employment service Indeed.com.
“Other fake domains, created by suspected North Korean operators, impersonated ZipRecruiter, a Disney careers page and a site called Variety Jobs, according to Google.” The goal of these attempts is to induce marks to submit personal and professional information that can be used to either socially engineer the victims, or else to enable DPRK intelligence services to impersonate those victims in other campaigns.
So don’t neglect HR and recruiting in your security training, and keep an eye out for attempts to impersonate your public-facing websites. New-school security awareness training can teach your people how to recognize social engineering tactics, whether they’re worker-side or employer-side.
Bloomberg has the story.