CrowdStrike exposes North Korea’s secret workforce in US technology

North Korean nation-state attackers successfully posed as job applicants and placed more than 100 of their covert team members with mostly U.S.-based aerospace, defense, retail and technology companies.

CrowdStrikes 2024 Threat Hunting Report exposes how North Korea and Nexus are adversaries FAMOUS CHOLLIMA uses forged and stolen identity documents, allowing malicious nation-state attackers to act as remote IT staff, exfiltrate data and conduct espionage undetected.

Affiliated with North Korea’s elite General Reconnaissance Bureau (RGB) and Bureau 75, two of North Korea’s advanced cyberwarfare organizations, FAMOUS CHOLLIMAThe organization’s specialty is perpetuating insider threats on a large scale, illegally obtaining freelance or full-time equivalent (FTE) jobs to earn a salary that is funneled to North Korea to pay for their weapons programs, while also conducting ongoing espionage.

“The most alarming aspect of FAMOUS CHOLLIMA’s campaign is the sheer scale of this insider threat. CrowdStrike notified over 100 victims, mostly from U.S. companies that unknowingly hired North Korean operatives,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, told VentureBeat.

“These individuals are infiltrating organizations, especially in the technology sector, not to contribute, but to channel stolen money directly into the regime’s weapons program,” Meyers said.

North Korea seized an opportunity to exploit trust

“This surge in remote work activity in North Korea shows how adversaries are abusing the trust of our remote work environment,” Meyers noted in a recent VentureBeat interview.

North Korea knew that companies have standardized on remote working of their IT teams and that public opinion in the US, Europe, Australia and on the Asian continent favors remote working. North Korea saw an opportunity to exploit the lack of verification and security to its advantage.

Systematically targeting over 100 companies to infiltrate with malicious insiders, and then screening members of an elite team of attackers to become part of the FAMOUS CHOLLIMA team to lead an insider attack is unprecedented. It heralds a new era in cyber warfare and should be a wake-up call for any company hiring remotely today.

“After COVID, remote onboarding became the norm, and so we’ve seen stolen identities used to pass security checks and land jobs and then used to exfiltrate data or steal money. Fifty percent of the cases observed by CrowdStrike were used for data exfiltration. The processes created to facilitate remote working are being weaponized against us,” he said.

Anatomy of North Korea’s insider threat attack

“Many still underestimate North Korea’s cyber capabilities and dismiss it as a ‘hermit kingdom.’ But they have been investing in cyber talent since the late 1990s, with a strategic focus on STEM education from an early age. This recent, sophisticated campaign shows that they are not just a threat, but a sophisticated adversary that we must take seriously. We are just at the beginning of their activities,” said Meyers.

Starting in 2023, FAMOUS CHOLLIMA initially targeted 30 US-based aerospace, defense, retail and technology companies claiming to be US residents applying for remote IT positions. Once hired, attackers performed minimal tasks related to their position while attempting to exfiltrate data using Git, SharePoint, and OneDrive.

Malicious insiders also quickly installed Remote Monitoring and Management (RMM) tools including RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop to maintain persistence within the compromised network. Once these tools were installed, they were able to use multiple IP addresses to connect to the victim’s system, which looked legitimate and blended in with normal network activity. The malicious insiders can then execute commands, gain a foothold, and move laterally within a network without immediately raising alarms.

CrowdStrike’s report shows that organizations are seeing a 70% increase in the use of RMM tools by adversaries year-over-year. Exploitation of RMM tools is responsible for 27% of all hands-on keyboard intrusions on endpoints. Nowhere was this more evident than in North Korea’s massive threat attack on more than a hundred leading technology companies.

In April 2024, CrowdStrike Services responded to the first of several incidents involving FAMOUS CHOLLIMA malicious insiders targeting more than 30 US-based companies. North Korean operatives claimed to be US residents and were hired for multiple remote IT positions in early 2023.

Earlier this year, several investigations into North Korean employment arrangements and fraud were underway. Working with broader ongoing investigations, CrowdStrike was able to identify FAMOUS CHOLLIMA insiders applying to or actively working at more than 100 unique companies, most of which were US-based technology entities. The repeated detection of similar tactics, techniques and procedures (TTP) across multiple incidents allowed CrowdStrike to identify a coordinated campaign.

FBI and DOJ took swift action, but large-scale insider threats persist

On May 16 this year, the Federal Bureau of Investigation (FBI) issued a warrant alert US companies warn that “North Korea is evading US and UN sanctions by targeting private companies to illegally generate substantial revenue for the regime.” The Department of Justice (DoJ) took swift action against laptop farms that FAMOUS CHOLLIMA recently created through incentives for two Americans.

The first charge delivered on May 16 discovered that an Arizona woman had given North Korea access to 300 IT companies. The second charge was delivered on August 8 to a man in Nashville, Tennessee, for running a laptop farm that allowed members of FAMOUS CHOLLIMA to work undetected for months and earn salaries paid directly to North Korea’s weapons program. The indictment warns of the global scale of the group’s operations, which spans seventeen countries and eleven industries.

“Last week, the Justice Department arrested a Tennessee man accused of running a laptop farm scheme that allowed North Korean IT workers to secure remote jobs at Fortune 500 companies. This is consistent with activity that CrowdStrike has been tracking as FAMOUS CHOLLIMA,” Meyers told VentureBeat.