One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8617941 |
| Date de publication | 2024-11-26 20:22:49 (vue: 2024-11-26 21:08:44) |
| Titre | DPRK IT Workers | A Network of Active Front Companies and Their Links to China |
| Texte | ## Snapshot SentinelLabs has identified front companies in the DPRK\'s scheme of impersonating United States-based software and technology consulting businesses to achieve financial objectives. These threat actors have created front companies, copying the online brands of legitimate organizations, and have been linked to a larger set of organizations being established in China. ## Description North Korean IT workers, skilled in software development, mobile applications, blockchain, and cryptocurrency technologies, use fake identities and forged credentials to secure remote jobs and contracts worldwide, often routing payments through cryptocurrencies or shadow banking systems to support state programs. The report details four DPRK IT Worker front companies whose websites were seized by the United States Government: Independent Lab LLC, Shenyang Tonywang Technology Ltd, Tony WKJ LLC, and HopanaTech. These companies copied the website designs and content from real businesses like Kitrum, Urolime, ArohaTech IT Services, and ITechArt, modifying them to appear as United States-based entities. SentinelLabs\' research has further connected these activities to a broader network, including Shenyang Huguo Technology Ltd, and has identified links to identities such as Wang Kejia and Tong Yuze, who are associated with multiple companies in China, including technology and food service businesses. The findings show the DPRK exploiting global markets to fund state activities, including weapons development. ## Microsoft Analysis and Additional OSINT Context [Microsoft and other security researchers](https://security.microsoft.com/intel-explorer/articles/87adc2a0) have reported several North Korean activity clusters using highly skilled IT workers to fraudulently obtain remote employment with companies worldwide, allowing them to generate significant revenue for the regime by hiding their identities and funneling earnings back to the state. North Korean threat actors have specifically been detected targeting United States companies associated with technology, car manufacturing, aerospace, media, retail, and food delivery. They have used these infiltrations for data theft and to establish access for other North Korean cyber threat groups. Microsoft tracks North Korean IT remote worker activity as [Storm-0287](https://security.microsoft.com/intel-explorer/articles/29ec3550). ## Recommendations Microsoft has identified the following vetting approaches to identify a possible North Korean remote worker based on trends we have observed among these workers: - Check to make sure a potential employee\'s social media/professional accounts are not highly similar to the accounts of other individuals. In addition, check that a contact phone number listed on a potential employee\'s account is unique and not also used by other accounts, particularly if that number is Chinese. - Scrutinize resumes and background checks for consistency of names, addresses, and dates. Consider contacting references by phone or video-teleconference rather than email only. - Exercise greater scrutiny for employees of staffing companies, since this is the easiest avenue for North Korean workers to infiltrate target companies. - Search whether a potential employee is employed at multiple companies using the same persona. - Ensure the potential employee is seen on camera during multiple video telecommunication sessions. If the potential employee reports video and/or microphone issues that prohibit participation, this should be considered a red flag. - Confirm the potential employee has a digital footprint. This includes a real phone number (not VOIP), a residential address, and social media accounts. Microsoft recommends the following mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-m |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 0287 10/security/threat 2024 2024** 365/security/defender about access accessed account accounts achieve active activities activity actors addition additional address addresses aerospace age all allowing also among analysis and/or antivirus any appear applications approaches are arohatech artifacts associated attack attacker audit auditing avenue back background banking based been behind being best block blockchain brands breach broader businesses bypassing camera can car card check checks china china/ chinese cloud clusters com/en com/intel com/labs/dprk com/microsoft companies confirm connected consider considered consistency consulting contact contacting content context contracts controlled copied copying copyright cover created credentials criterion cryptocurrencies cryptocurrency customers cyber data dates defender delivered delivery deployment description designs details detect detected detection development digital disable distribution doesn dprk during earnings easiest edr email employ employed employee employees employment enable endpoint endpoint/attack endpoint/configure endpoint/controlled endpoint/edr ensure entities equivalent establish established even evolving executable execution exercise exploiting explorer/articles/29ec3550 explorer/articles/87adc2a0 fake files financial findings first flag folder folders following food footprint forged four fraudulently from front fund funneling further generate global government: greater groups guidance has have hiding highly hopanatech https://learn https://security https://www huge huguo identified identify identities impact impersonating important includes including independent individuals infiltrate infiltrations issues itechart jobs kejia kitrum korean lab larger learndoc learndoc#block learning legitimate like linked links list listed llc log logging ltd machine majority make malicious managing manufacturing markets measures media media/professional meet microphone microsoft mitigations mobile mode modifying monitored multiple names network new non north not number obfuscated objectives observed obtain ocid=magicti often online only on organization organizations osint other part participation particularly passive payments permission persona phone policy portal portal#verify possible post potential potentially practices prevalence prevent pro/windows product programs prohibit prohibited protect protection protection/security protections purview rapidly rather read real recent recommendations recommends red reduce reduction reference references regime remediate remote report reported reports reproduction research researchers reserved residential response resumes retail revenue rights routing rules running run endpoint same scenes scheme scripts scrutinize scrutiny search searching secure security seed seen seized sentinellabs sentinelone service services sessions set settings/manage several shadow shenyang should show sight significant similar since site skilled snapshot social software specifically staffing state states status storm such support sure surface systems tabs=microsoft target targeting techniques technologies technology telecommunication teleconference than theft them thereof these threat through tong tony tonywang tools tracks trends trusted turn unique united unknown unless urolime us/compliance/assurance/assurance us/defender us/previous us/purview/audit use used using variants verify versions/windows/it vetting video view voip wang weapons website websites when whether who whose without wkj worker workers workers: works worldwide written your yuze have in |
| Tags | Tool Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.