N. Koreans Steal LinkedIn Resumes to Get Remote Work at Crypto Firms: Researchers
North Koreans are plagiarizing online CVs and pretending to be from other countries to get remote work at cryptocurrency firms to help the government raise money, cyber security researchers say, following a US warning of a similar scheme in May.
The scammers are lifting details they find on legitimate profiles on LinkedIn and Indeed for their resumes to land jobs at U.S. cryptocurrency firms, according to security researchers at Mandiant Inc. One applicant identified by Mandiant on July 14 claimed to be an “innovative and strategically thinking professional” in the technology industry and an experienced software developer. “The world will see the great result from my hands,” the job seeker added in a cover letter.
Almost identical language was found in another user’s profile.
The evidence discovered by Mandiant reinforces the claims made by the US government in May. The United States warned that North Korean IT workers are trying to get freelance work abroad while posing as non-North Korean citizens, in part to raise money for the government’s weapons development programs. The IT workers claim to have the kind of skills necessary for complex work such as developing mobile apps, building virtual currency exchanges and mobile gaming, according to the US adviser.
The North Korean IT workers were mainly located in China and Russia, with a smaller number in Africa and Southeast Asia, according to the US. They also target freelance contracts in wealthier nations, including North America and Europe, and present themselves in many cases. such as South Korean, Japanese or even US-based telecommuters, according to the US warning.
According to the Mandiant researchers, by gathering information from crypto companies, North Koreans can gather intelligence on upcoming cryptocurrency trends. Such data — on topics such as virtual Ethereum currency, non-fungible tokens and potential security breaches — could give the North Korean government a head start on how to launder cryptocurrency in a way that helps Pyongyang avoid sanctions, said Joe Dobson, a principal analyst at Mandiant.
“It comes down to insider threats,” he said. “If someone gets hired on a crypto project, and they become a core developer, it allows them to influence things, either for good or not.”
The North Korean government has consistently denied involvement in any cyber-enabled theft.
Other suspected North Koreans have fabricated job qualifications, with some users claiming on job applications to have published a white paper on the Bibox digital currency exchange, while another posed as a senior software developer at a consultancy focused on blockchain technology.
Mandante researchers said they had identified several suspected North Koreans at workplaces who have been hired as freelancers. They declined to name the employers.
“These are North Koreans trying to get employed and get to a place where they can send money back to the regime,” said Michael Barnhart, a principal analyst at Mandiant.
In addition, North Korean users who claim to have programming skills have asked questions on the GitHub Inc. coding site, where software developers publicly discuss their findings, about larger trends in the cryptocurrency world, according to the Mandiant researchers.
North Korean IT workers “target freelance contracts from employers in wealthier nations,” according to the US’s 16-page advisory released in May. In many cases, the North Korean workers present themselves as South Korean, Chinese, Japanese or Eastern European and US-based telecommuters, according to the US adviser.
In April, Jonathan Wu, a manager at Aztec Network, a blockchain company, described the experience of conducting a job interview with a possible North Korean hacker as leaving him “a little shaken.” “Scary, funny and a reminder to be paranoid and triple check your OpSec practices,” he wrote, in a Twitter thread. Neither Wu nor the company responded to messages seeking comment.
In a related tactic, suspected North Korean hackers have replicated Indeed.com and used it to gather information about visitors to the site, according to Alphabet Inc.’s Google. By setting up websites that appear to be genuine, spies can trick job seekers into sending their resumes, thereby starting a conversation that could enable hackers to jailbreak their computer or steal their data, according to Ryan Kalember, executive vice president at email security firm Proofpoint Inc.
Other fake domains, created by suspected North Korean operators, impersonated ZipRecruiter, a Disney career site and a site called Variety Jobs, according to Google.
“We see an influx of this every day,” Kalember said. “Their ability to come up with compelling tire companies is getting better and better.”
In February, security firm Qualys Inc. said it discovered a phishing campaign in which the so-called Lazarus Group, a name the U.S. government sometimes uses to describe Pyongyang-backed hackers, targeted job seekers applying for roles at Lockheed Martin Corp. .
The hackers sent individual messages that appeared to be from Lockheed Martin, using email attachments that appeared to contain information from the company but actually contained malware. The spree followed similar attempts in which attackers posed as BAE Systems Plc and Northrop Grumman Corp., according to Qualys.
“If you look at the job ads, they appeal to people’s ego and desire for money,” said Adam Meyers, senior vice president of intelligence at CrowdStrike Holdings Inc. “They’re exploiting that, but the fake job ads are an opening for their broader cyber attacks and espionage. »
North Korea’s focus on stealing cryptocurrency comes after the country’s hackers spent years stealing money from the global financial system, Mandiant researchers said. After an infamous Bangladesh Bank heist in 2016, in which the US accused North Korean thieves of trying to steal close to $1 billion, global banks added security measures to stop such breaches.
“The market has changed where banks are more secure and cryptocurrency is a whole new market,” Dobson said. “We’ve seen them go after end users, crypto exchanges and now the crypto bridges.”
Photograph: North Korean flag made of human pixels holding up colored boards in Pyongyang, North Korea. Photo credit: Eric Lafforgue/Art in All of Us/Corbis News/Getty Images.
Copyright 2022 Bloomberg.