- Nisos discovers the network of false identities, all looking for software development work
- At least two characters work in small businesses
- The goal is to earn money for the North Korea weapons program
North Korean cybercriminals simulate their identity in order to obtain jobs in software development companies in Asia and West, new research said.
A report by Nisos researchers claims to have identified at least four false personalities working as software developers, blockchain developers, IT and similar professionals, with the goal, “to earn money to finance ballistic development programs of Pyongyang”.
To create these false identities, threat actors use GitHub and reuse mature github accounts and portfolio content from older characters. This helps them support their new identity, the researchers said. He also helped two people find a job in companies with less than 50 employees.
Lazarus?
Although these identities have employment and information websites for people, they have no social media accounts, which is always a red flag. In addition, their profile photos are “photoshopped” and they have, in some cases, obviously stuck a different face in a photo to show them as a team.
Finally, all the characters in the network use similar email addresses, including often the same numbers and the word “dev”.
Although it is difficult to know with certainty, Nisos says that there are “several indicators” that the pirates are affiliated with the North Korean government, in particular “tactics, techniques and coherent procedures (TTP) allocated to actors of fraud with North Korean employment”.
In the past, there have been reports from Lazarus, a threatening actor known by the State, looking for software development jobs. Being hired helps access the back of the company, which they use to steal sensitive data, even money.
Lazarus was also observed by creating false companies and false jobs, and headhunter software developers in large IT companies. During the “hiring process”, they would deposit malicious software on the aircraft of their victim, with the same objective of accessing the computer infrastructure of their employer.
The group generally targets companies related to blockchain and has managed some of the biggest crypto burglaries in history.
