At the US Cyberwarcon conference, cybersecurity researchers from Microsoft Threat Intelligence revealed disturbing practices used by malicious actors from North Korea. The latter posed as foreign employees in order to trap companies around the world. This strategy aims not only to steal funds to finance weapons programs, but also to collect data on international sanctions before their implementation.

Advanced manipulation tactics

The threat group, known as Sapphire Sleethas developed sophisticated methods over the years. By creating fake profiles on LinkedIn, they have managed to deceive many organizations. In just six months, these cybercriminals carried out several campaigns of social engineering attacks, stealing more than $10 million in cryptocurrencies.

Posing as investors

One of the recent tactics of Sapphire Sleet consists of posing as a venture capitalist interested in investing in the target company. The threat actor then attempts to arrange an online meeting. When logging in, the victim receives an error message asking them to contact the administrator or help desk. At this point, the cybercriminal, posing as a support member, sends a script that deploys malware on the victim’s device. This allows the cybercriminal to recover sensitive information, including cryptocurrency wallets and personal identifiers.

Deceptive recruiters

The malicious group also uses apps like LinkedIn to pose as recruiters. They contact their victims and ask them to fill out a skills assessment form through a site they control. By downloading this form, the victim unintentionally installs malware on their device.

A strategy to circumvent sanctions

Microsoft emphasizes that North Korea does not just exploit computer networks. It also sends thousands of IT workers abroad to generate revenue for the regime. These hackers managed to steal hundreds of millions of dollars, operating mainly in Russia, China and other countries, thus evading international sanctions imposed by the United States.

The role of foreign facilitators

These fake computer scientists rely on facilitators abroad to access platforms inaccessible from North Korea. They create and rent bank accounts and purchase SIM cards in their name. Fake candidates build attractive CVs on platforms like GitHub and LinkedIn, thereby increasing their credibility.

Resumes enhanced by artificial intelligence

Recently, Microsoft discovered a public repository containing data from these fake workers, including resumes, email accounts, VPN information, and artificial intelligence-altered images. These images are used to falsify documents stolen from their victims. Analysis of this repository reveals that these North Korean computer scientists practice identity theft, using tools like FaceSwap to integrate their photo into legitimate documents.

Considerable gains

The group of computer scientists identified by Microsoft is said to have generated revenue of $370,000 from payments received. To avoid these infiltrations, the researchers recommend improving the awareness of human resources managers and implementing rigorous checks of candidates.

Preventive measures to adopt

To protect against these threats, businesses must:

• Train teams on cybersecurity risks.
• Perform thorough identity checks for new hires.
• Ask candidates to periodically activate their camera during online interviews.
• Require computer scientists to explain the code they wrote.

These measures will help strengthen business security in the face of growing cyber threats.