Over 100 organizations have been targeted by North Korean hackers posing as legitimate IT workers to steal money and exfiltrate sensitive information, new research reveals.
The threat campaign, operated by a group tracked as FAMOUS CHOLLIMA, involves posing as a locally-based IT technician or software developer, using stolen identities and deepfake technology to pass background checks.
In its 2024 Threat Hunting Report, CrowdStrike reported that since it was first made aware of the insider threat campaign, it had identified at least 100 attempts to embed hackers in firms around the world.
One high-profile case believed to be a part of this campaign involved cybersecurity awareness firm KnowBe4’s CEO publishing a blog post outlining how the firm had hired a North Korean hacker in July.
The report sets out the group’s core TTPs, the regions and sectors they tend to target, as well as further information from the investigation that could help businesses avoid falling prey to similar attacks.
Speaking on CrowdStrike’s Adversary Universe podcast, Adam Meyers, head of counter adversary operations at CrowdStrike, recalled how the company uncovered the scale of the insider threat campaign being perpetrated by FAMOUS CHOLLIMA.
Meyers said he worked closely with Brody Nisbet, director of overwatch, CrowdStirke’s threat intelligence platform, who initially posited the idea for overwatch for insider threats, and was able to develop a scalable plan to identify potential insider threats from a single incident response engagement.
After testing the tooling and methodology developed by Nisbet and his team on the initial case, Meyers said the team was able to identify 30 individuals that could be malicious insiders across a number of different organizations.
Over the next two days another 30 firms were flagged as potentially hosting a malicious insider, and over the course of the investigation CrowdStirke was able to identify 100 unique companies that had been targeted by FAMOUS CHOLLIMA, or already had one of their affiliates actively working at the firm.
CrowdStrike’s report noted that almost all of the companies identified to be at risk of hosting a malicious insider were based in the US, showing the campaign had predominantly targeted firms in the technology sector.
Other popular targets were companies in the fintech, financial, and professional services markets, according to CrowdStrike.
Meyers explained the group’s motivations appeared to be mainly centered around extracting money from the target, but half of the cases also involved exfiltrating data that could be used in future attacks.
Meyers noted that after notifying the affected customers, most of their clients were totally unaware of the threat and that, in many cases, it involved a senior technician at the company.
“Almost every single one of these calls either went in the direction of ‘holy cow how did you find that’ or it started off with ‘that’s a very serious allegation that’s a senior developer in our organization”.
CrowdStrike reported the hackers exploited the recruitment and onboarding process using stolen identities, often modified to fit their likeness, in order to bypass initial background checks.
Local affiliates in the target nation were then used to provide ‘drop locations’ where the fake IT workers could get their company equipment sent. These locations acted as laptop farms that were used to disguise where the workers were actually located.
Law enforcement recently announced the arrest of Matthew Isaac Knoot, a US citizen alleged to have been running one such facility in Nashville, Tennessee.