#ICYMI, here's a #threatintel related🧵👇 by me on @USTreasury advisory on DPRK IT workers' attempts to obtain employment while posing as non-North Korean nationals: home.treasury.gov/system/files/1… (1/?)
DPRK IT workers "engage in a wide range of IT dev work, such as: mobile & web-based apps, virtual currency exchange platforms & digital coins. Some
designed virtual currency exchanges or created analytic tools/apps for virtual currency traders & marketed their products." (2/?)
designed virtual currency exchanges or created analytic tools/apps for virtual currency traders & marketed their products." (2/?)
This reminds me, for example, of Marine Chain Token: (justice.gov/opa/pr/three-n…; justice.gov/opa/press-rele…), #AppleJeus (cisa.gov/uscert/ncas/al…) and, more recently, #TraderTraitor (cisa.gov/uscert/ncas/al…). #HIDDENCOBRA/#APT38 loves loves loves their crypto (3/?)
Onto fake job applicant TTPs: "DPRK IT teams abroad most commonly obtain freelance jobs through various online platforms. They build “portfolio” websites, generally simple in design, in an effort to boost the
credibility of their fabricated, freelance developer personas." (4/?)
credibility of their fabricated, freelance developer personas." (4/?)
The recruitment theme is VERY strong with DPRK threat activity: on one hand, posing as job applicants in order to act as insider threats, as per above & this awesome paper on #DPRK #cybercrime, its purposes, statecraft and #threatintel: belfercenter.org/sites/default/… (5/?)
On the other, using fake job specs as lure documents: think intel-motivated ops like #BLINDINGCAN (which we track as ShowState)/ Op Dream Job (cisa.gov/uscert/ncas/an…), or financially-motivated ops like #DangerousPassword/#SnatchCrypto, eg:
https://twitter.com/cyberoverdrive/status/1490839283803951106?s=20&t=6Y6VbED0xcdQ8NuaxFRbGQ(6/?)
Another #threatintel angle: campaigns trying to lure companies (typically cryptocurrency startups) by using business proposals/VC pitches that seem too good to be true. Examples again re #DangerousPassword/#SnatchCrypto:
https://twitter.com/cyberoverdrive/status/1516439414817402887?s=20&t=6Y6VbED0xcdQ8NuaxFRbGQ&
https://twitter.com/tayvano_/status/1516225457640787969?s=20&t=6Y6VbED0xcdQ8NuaxFRbGQ(7/?)
Returning to DPRK IT workers & fake profiles, these points stood out: purchase of details from 3rd party/hiring 3rd party as proxy; using stolen documents & bank details to set up personas; use of work bidding platforms; simplistic portfolios; refusing video calls. (8/?)
Note: "Although DPRK IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access as contractors to enable DPRK malicious cyber intrusions. There are likely instances where workers are subjected to forced labor." (9/?)
LOTS to unpack: DPRK IT workers != DPRK APTs, but 1) in some cases DPRK IT workers will "enable DPRK malicious cyber intrusions". (Access handoff? Backdooring? Want to research this more👀) 2) DPRK APTs posing as either job applicants or as job recruiters. (10/?) #threatintel
One more aspect warranting further investigation: "instances in which DPRK IT teams appear, on paper, to work for a legitimate local company but pursue their own business independently – and in return will pay a fee to the foreign company". @intrusion_truth on #DPRK when? (11?)
Some excellent reading on DPRK front companies in general: the Park #WannaCry indictment (justice.gov/opa/press-rele…); this Mandiant #threatintel analysis mandiant.com/resources/mapp… 🔥🔥 (12/?)
Final element: WHY? Ultimately, "to generate revenue" for the regime. Many can discuss the security and policy implications. But what about #humanrights? @USTreasury notes forced labor: constant surveillance, unsafe conditions, little freedom of movement, 10% pay kept. (13/?)
I do #threatintel to help build a secure digital society for all, to undermine cyber ops that do harm. Controv, but I'd invite us all to be mindful of the #humanrights context of adversaries in some cases, like DPRK IT workers, & whether & how that could be helped. (14/14)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
