CTI Roundup: North Korean-Sponsored Remote IT Workers, Legitimate Sites Sending Spam, and Political Deepfakes

In this week’s roundup, CTI investigates a network of global IT workers operating on behalf of the North Korean government. Next up, CTI explores how threat actors abuse legitimate website features to deliver spam. Finally, CTI wraps up with a look at Recorded Future’s analysis of 82 deepfakes identified between July 2023 and July 2024.

North Korean IT workers infiltrate global organizations through remote employment

Mandiant is actively tracking a network of global IT workers who are operating on behalf of the North Korean government. These workers seek employment with organizations across various industries. Their main objectives are to make money, maintain long-term access for potential future exploitation, and potentially conduct espionage. Mandiant tracks the group as UNC5267.

Who is UNC5267?

UNC5267, active since 2018, isn’t a traditional centralized threat group. It consists of individuals sent to live outside of North Korea to secure jobs at Western companies, particularly interested in the U.S. technology sector.

These individuals typically use stolen identities to apply for full-time or contractor positions. They tend to apply for positions that offer 100% remote work opportunities. Mandiant has observed cases where IT workers work multiple jobs simultaneously.

Key findings from Mandiant’s report

Mandiant shared details from some of their incident response engagements involving Democratic People’s Republic of Korea (DPRK)-sponsored IT workers. These engagements primarily involved workers operating within the scope of what they were hired to do. However, Mandiant also observed some cases where workers sought elevated access to modify code or administer network systems.

[Read also: What is Active Directory security? Risks and best practices]

Mandiant identified many resumes that are being used to apply for remote positions. There are instances in which the email address used by one suspected IT worker has been previously observed in other IT worker-related instances. Pivoting off this, they could identify additional resumes that looked similar but used different names, phone numbers, universities, and other credentials.

These individuals will typically ship their company-owned devices to laptop farms and access them remotely to carry out their job responsibilities. They use the following tools to connect to the devices:

• GoToRemote / LogMeIn
• GoToMeeting
• Chrome Remote Desktop
• AnyDesk
• TeamViewer
• RustDesk

Recommended actions

Mandiant recommends several actions to avoid accidentally hiring threat actors.

Some of their tips include:

• Thoroughly vetting job candidates
• Verifying phone numbers
• Verifying where the corporate laptop is being shipped
• Requesting verification of the laptop serial number at the time of IT onboarding

Analyst comments from Tanium’s Cyber Threat Intelligence team

More and more individuals with ties to the DPRK are posing as IT workers and seeking employment with global organizations to conduct illicit activities.

According to Mandiant, this threat will likely continue, especially as actors develop new ways to trick HR and recruiting teams into allowing them to work their way into these environments.

Mandiant summarizes this threat nicely:

The dual motivations behind their activities — fulfilling state objectives and pursuing personal financial gains — make them particularly dangerous.

Threat actors exploit website infrastructure to deliver spam

A new report from Cisco Talos describes how threat actors abuse legitimate websites to distribute spam.

The infrastructure leveraged in these attacks is often used for legitimate purposes, making it difficult to block these messages. Researchers have determined that this activity has both an automated and human aspect and have observed the actor testing credentials obtained via data breaches.

Abusing web forms

Cisco Talos states threat actors abuse web forms to bypass spam filters. For example, sites that allow users to sign up for accounts typically send confirmation emails back to users. Actors are now overloading “name” fields with text and links and replying with spam.

This is similarly seen with event signup forms and contact forms. Actors also use web forms related to Google quizzes and other apps.

Breached credentials

In addition to abusing web forms, threat actors leverage breached credentials to send spam. For example, actors will use stolen credentials to try and access a victim’s email account. Direct access to the email account will often lead them to further sensitive information and enable them to receive multi-factor authentication codes via that email account.

Some actors have also been observed using credentials to access outbound SMTP servers. From here, they can send messages using their server and emails from a legitimate mail server that will likely not be blocked. Actors will create a personal/test mail account and send themselves test messages using the stolen credentials to confirm it’s working.

There are also many open-source tools available that actors can use to accomplish this. One of the more common tools is MadCat, an open-source SMTP tool with credential-stuffing capabilities.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Many of the strategies that threat actors use to abuse web forms involve sending unexpected messages – like random registration or event confirmations. End-users must carefully consider whether they are expecting messages from senders before opening them.

This is also a reminder to use good password hygiene. Threat actors commonly leverage breached credentials during attacks. Creating strong passwords can make it harder for them to access private accounts.

Recorded Future sheds light on political deepfakes

Recorded Future’s latest report analyzes 82 deepfakes collected between July 2023 and July 2024. The deepfakes impersonate public figures, including elected officials, electoral candidates, and journalists from 38 countries.

According to the report, the most common goals are promoting financial scams and fabricating inauthentic statements.

Top deepfake targets

Researchers identified deepfakes that impersonated individuals from 38 different countries, with those from the E.U. being the most frequently impersonated.

The impersonated individuals have been summed up into four categories: heads of state and heads of government, electoral candidates, elected officials, and members of the media.
 

Deepfake objectives

Threat actors target individuals with deepfakes for several reasons. Some do it for financial gain, which often occurs when the impersonated figures endorse fraudulent schemes. Another reason is simply to mislead the public by creating false or extreme statements and endorsements.

Recorded Future found that 26.8% of the deep fakes targeting public figures in the last year did so for financial gain, while 25.6% of incidents were found to mislead the public by creating false statements.

Emerging deepfake tactics

Recorded Future identified a few emerging tactics from their analysis:

• Leveraging anonymous third parties as subjects to obfuscate their activities from detection
• Targeting vulnerable users outside of social media with deepfakes
• Creating overlays from media outlets and mimicking authentic sources
• Making deepfakes of foreign leaders
• Impersonating public figures’ family members to promote or discredit political leaders

Analyst comments from Tanium’s Cyber Threat Intelligence team

Threat actors are increasingly creating deepfakes and using them in conjunction with current events, like elections. This trend is likely to continue.

Organizations are encouraged to establish solid response and mitigation strategies to deal with this new threat. Understanding how to identify and handle a deepfake is critical in this new era of AI-enabled misinformation.

Recorded Future offers some great deepfake mitigation tips, including some questions you can ask to help identify them.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.