Nisos uncovers network of fake identities, all looking for software development workAt least two personas are working in small businessesThe goal is to earn money for North Korea’s weapons program
North Korean cybercriminals are faking their identities in order to get jobs in software development companies in Asia and the West, new research has claimed.
A report from researchers Nisos claims to have identified at least four fake personas working as software developers, blockchain developers, IT pros, and similar, with the goal, “to earn cash to fund Pyongyang’s ballistic missile and nuclear weapons development programs.”
To create these fake identities, the threat actors are using GitHub and reusing matured GitHub accounts and portfolio content from older personas. This helps them backstop their new identities, the researchers said. It also helped two individuals get jobs at companies with fewer than 50 employees.
Lazarus?
While these identities have accounts on employment and people information websites, they don’t have social media accounts, which is always a red flag. Furthermore, their profile photos are “photoshopped” and they have, in some cases, obviously pasted a different face over a stock photo to show them working in a team.
Finally, all personas in the network use similar email addresses, often including the same numbers and the word “dev”.
While it’s difficult to know for certain, Nisos says there are “several indicators” that the hackers are affiliated with the North Korean government, including “consistent tactics, techniques, and procedures (TTPs) attributed to North Korean employment fraud actors.”
In the past, there have been reports of Lazarus, a known North Korean state-sponsored threat actor, hunting for software development jobs. Getting hired helps them gain access to the company’s back end, which they use to steal sensitive data, or even money.
Lazarus was also observed creating fake companies and fake jobs, and head-hunting software developers in major IT firms. During the “hiring process”, they would drop malware onto their victim’s devices, with the same goal of accessing their employer’s IT infrastructure.
The group usually targets blockchain-related businesses and has pulled off some of the biggest crypto heists in history.
You might also like
A deepfake epidemic is coming as survey shows that people are simply not good enough at identifying fakesWe’ve rounded up the best password managersTake a look at our guide to the best authenticator app