Matt Johansen Profile picture
May 28, 2024 12 tweets 4 min read Read on X
The DoJ just busted a massive scam involving North Korean IT workers infiltrating major US companies.

They had some help in the US and were posing as remote freelancers to siphon off money and sensitive info.

Holy crap, here's what we know:
How they operated:

North Korean operatives are stationed in countries like China, Russia, and parts of Eastern Europe and Southeast Asia.

They then use fake documents and buy accounts to get remote jobs in the States. Image
On May 16, the DOJ indicted five people connected to this scheme.

One is an Arizona woman who helped North Korean IT workers by validating stolen identities, making them look like US citizens. Image
This woman also hosted laptops from US companies to spoof locations

This bypassed any geofencing making it seem like the North Korean workers were based in the US. Image
The scheme has raked in millions of dollars in wages from over 300 companies.

This money likely supports North Korea's regime, including its nuclear weapons program, according to the FBI. Image
North Korea's government is highly motivated due to heavy international sanctions.

They've been behind major cyber heists like the $81 million stolen from Bangladesh Bank via the SWIFT system in 2016. Image
Facilitators, or "mules," are key players in this operation.

They manage multiple fake identities and handle risky tasks like job interviews and drug tests, then pass the credentials to the actual North Korean workers. Image
These facilitators make big money.

For example, a Ukrainian facilitator managed about 870 identities and hosted 80 computers, earning over $900,000 over six years. Image
The IT workers, often highly skilled, work under harsh conditions with strict oversight.

Their activities include cryptojacking, targeting security researchers(!!!), and other cyber attacks to fund the regime. Image
How does your company verify remote worker identities? Would your process stand up to this threat?
I cover this and dozens more cybersecurity news stories ever week in my free newsletter.

Join over 12,000 other pros here: vulnu.xyz/tw

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Jun 17
Breaking: House Oversight's top Dem Rep. Lynch requests Microsoft provide info on DOGE staffer's GitHub repo.

It allegedly contains code to extract data from the NLRB's case management system. Image
Key context: This follows whistleblower Daniel Berulis's disclosure about ~10GB of data exfiltrated from NLRB's NxGen system.

DOGE engineer Jordan Wick's repo "NxGenBdoorExtract" was made private before investigation. Image
The alleged extraction code was hosted on Microsoft-owned GitHub.

Rep. Lynch specifically wants details about attempts to "conceal activities, obstruct oversight, and shield from accountability." Image
Read 8 tweets
Jun 9
U.S. labs keep finding *undocumented* cellular radios hidden inside some Chinese-made solar inverters & battery packs

Those radios give the gear a second, undocumented path to the internet. Global governments are reacting already: 🧵 Image
Inverters already need remote access for firmware updates, so utilities put them behind firewalls.

A covert LTE module can hop right over that barrier, reach a cloud service in China, and issue commands the operator never sees.
Security teams have confirmed multiple makes and models with these extra radios in the last nine months.

The labs aren’t saying how many units they’ve torn down. Only that the problem spans *several* suppliers. Image
Read 15 tweets
May 5
TeleMessage, the company behind the modified Signal client used by Trump admin officials, has been breached.

Attacker claims the hack took "15-20 minutes" with minimal effort. Image
TeleMessage creates modified versions of Signal/WhatsApp/Telegram that archive messages for gov agencies.

Recently made headlines when National Security Advisor Waltz was photographed using it. Image
A hacker accessed unencrypted message contents, contact info of gov officials, admin credentials, and customer data.

Notably includes CBP, Coinbase, and other financial institutions. Image
Read 10 tweets
Apr 18
🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.

He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords

Media's coverage wasn't detailed enough so I dug into his testimony:Image
Who’s the whistleblower?

Daniel Berulis — a senior DevSecOps architect at the National Labor Relations Board (NLRB), formerly with TS/SCI clearance.

He just told Congress the Department of Government Efficiency (DOGE) pulled off a covert cyber op inside a federal agency. Image
DOGE demanded root access.
Not auditor access. Not admin.

They were given “tenant owner” privileges in Azure — full control over the NLRB’s cloud, above the CIO himself.
This is never supposed to happen. Image
Read 13 tweets
Mar 5
MSFT released new research on Silk Typhoon's supply chain attacks.

Key shift: Group now heavily leveraging stolen API keys and PAM credentials to hit downstream customers, particularly state/local gov and IT sector targets.

Here's what we know 🧵
Initial access vectors include 0days, compromised third-party services, and password spraying.

Notable: Found several instances of corporate creds exposed via public GitHub repos being used in attacks. (They should be following @InsecureNature) Image
@InsecureNature Post-compromise, actors use stolen API keys to access downstream customer environments.

Primary focus: Data collection related to China interests, US gov policy, and LE investigations. Image
Read 8 tweets
Feb 11
Hackers are using Google Tag Manager (GTM) to inject credit card skimmers into E-commerce sites.

At least 6 compromised sites identified so far. Here's what we're seeing. 👇
Malicious GTM script reference (GTM-MLHK2N68) stored in Magento's cms_block.content table.

Attackers using GTM as delivery mechanism to bypass security controls. Image
Obfuscated JS skimmer activates on checkout pages, exfiltrating card data to C2 domain eurowebmonitortool[.]com.

Additional persistence achieved via PHP backdoor in media/index.php allowing remote code execution through base64-encoded commands.

Gives attackers ongoing access post-cleanup.Image
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(