North Korean Hackers Infiltrate US Companies in Large-Scale Insider Threat Attack
North Korean nation-state attackers, known as FAMOUS CHOLLIMA, have successfully placed over 100 covert team members in various US-based companies, including aerospace, defense, retail, and technology firms. CrowdStrike’s 2024 Threat Hunting Report reveals that these attackers are posing as job applicants, leveraging falsified and stolen identity documents to gain employment as remote IT personnel. Their primary goal is to exfiltrate data and perform espionage undetected.
The FAMOUS CHOLLIMA group is affiliated with North Korea’s elite Reconnaissance General Bureau (RGB) and Bureau 121, advanced cyber warfare organizations. Their specialty lies in perpetuating insider threats at scale by obtaining freelance or full-time equivalent jobs to funnel money back to North Korea for weapons programs while conducting ongoing espionage.
The alarming aspect of this campaign is the massive scale of the insider threat. According to Adam Meyers, head of counter adversary operations at CrowdStrike, over a hundred victims, primarily from US companies, unknowingly hired North Korean operatives. These individuals infiltrate organizations, particularly in the tech sector, not to contribute but to funnel stolen funds directly into the regime’s weapons program.
The surge in North Korean remote work schemes highlights how adversaries are exploiting the trust in our remote work environment. With the rise of remote work due to the COVID-19 pandemic and public opinion favoring this arrangement, North Korea saw an opportunity to exploit the lack of verification and security. They systematically targeted more than 100 companies, infiltrating them with malicious insiders. This new era in cyber warfare should serve as a wake-up call to any business engaging in remote hiring.
Remote onboarding became the norm after COVID-19, making stolen identities a common tool for passing security checks and securing jobs that are then used for data exfiltration or fund theft. Meyers reveals that 50% of the cases observed by CrowdStrike were used for data exfiltration. The processes created to facilitate remote work are now being weaponized against us.
Many have underestimated North Korea’s cyber capabilities, dismissing them as a “hermit kingdom.” However, North Korea has been investing in cyber talent since the late 1990s, with a strategic focus on STEM education. This recent sophisticated campaign by FAMOUS CHOLLIMA shows that they are a sophisticated adversary that must be taken seriously.
The anatomy of North Korea’s insider threat attack follows a pattern. FAMOUS CHOLLIMA initially targeted 30 US-based companies, claiming to be US residents applying for remote IT positions. Once hired, they performed minimal tasks related to their job role while attempting to exfiltrate data using various tools. They also installed Remote Monitoring and Management (RMM) tools to maintain persistence within the compromised network. Exploitation of RMM tools accounts for 27% of all hands-on-keyboard intrusions on endpoints, and CrowdStrike’s report reveals a 70% year-over-year increase in adversary use of these tools.
CrowdStrike’s investigations, in collaboration with ongoing investigations into North Korean work schemes, identified FAMOUS CHOLLIMA insiders applying to or actively working at more than 100 unique companies, mostly US-based technology entities. The repeated detection of similar tactics, techniques, and procedures enabled CrowdStrike to uncover a coordinated campaign.
The Federal Bureau of Investigation (FBI) and the Department of Justice (DoJ) have taken swift action against FAMOUS CHOLLIMA. The FBI issued an alert warning American businesses about North Korea’s evasion of sanctions through targeting private companies. The DoJ has made indictments against individuals involved in running laptop farms that enabled FAMOUS CHOLLIMA members to work undetected for months, earning salaries that directly funded North Korea’s weapons program. These indictments highlight the global scope of the group’s operations.
In conclusion, North Korean hackers have successfully infiltrated US companies through large-scale insider threat attacks. Their ability to pose as job applicants and gain employment as remote IT personnel has allowed them to exfiltrate data and perform espionage undetected. This incident serves as a reminder of the importance of verifying identities and implementing strong security measures in remote hiring processes. The cyber capabilities of North Korea should not be underestimated, and businesses must take them seriously to protect against future attacks.