North Korean hackers show telltale signs, researchers say

North Korean threat actors are leaving some telltale signs that could allow network defenders to spot and block malicious activity.

Researchers with security firm ReliaQuest found that, in many cases, groups working out of the Hermit Kingdom tend to give away their intentions with a series of common blunders and activity patterns.

“In recent weeks, the ReliaQuest Threat Research team has identified and investigated over 25 North Korean insider threats across its customer base, ReliaQuest explained.

“As part of a growing trend, these state-sponsored operatives infiltrate Western companies under fake identities, often posing as skilled freelancers or contractors to generate revenue for the North Korean regime.”

Cybercrime is a favored tactic amongst the North Korean regime as the dictatorship looks to use stolen cryptocurrency funds as a means of working around economic sanctions.

In doing so, however, the DPRK hacking groups have developed a distinctive set of behavioral patterns that experts believe can be traced to suss out and prevent possible scams before they turn into major financial or data breaches.

It has been known for some time that the North Korean government uses the guise of IT contractors and freelance workers as a means of gaining entry into Western companies and using that access to break into financial accounts and crypto wallets, ultimate funneling the spoils of their efforts back to accounts controlled by the North Korean government.

According to ReliaQuest, in many cases these sort of infiltration attempts can be spotted as the job applications are simply too good to be true. Using automated tools and AI platforms, the phony applicants will often portray themselves as having credentials and experience far beyond what would be expected for someone seeking an entry or mid-level appointment.

“We’ve seen a surge in North Korean IT workers going after full-stack development roles, especially in contractor and freelancer positions. Their profiles are littered with red flags — boasting up to 12 years of sketchy, copy-paste experience that doesn’t pass the smell test,” the ReliaQuest team explained.

“These accounts are ghost-like, with barely any posts, reactions, or comments, yet they pack a laundry list of flashy skills, including Blockchain, AI, Cryptocurrency, Smart Contracts, MERN/MEAN stack, Next.js, Tailwind CSS, AWS, Microservices, GraphQL, E-commerce, React, Angular, TypeScript, SQL, MongoDB, and Rust.”

Another tell employed by North Korean hackers is the use of VPN and ISP services from countries allied with North Korea. The ReliaQuest researchers noted that in many cases connections from North Korea are masked using the Astrill VPN application. When not covered, IP addresses are traced to the likes of China Unicom and Russia TTK ISPs, both providers operating with the blessing of their respective government regimes.

Finally, RelaQuest said, is the use of IP-KVM tools. The remote management devices allow the attackers to covertly access systems without leaving a traceable log of activity or software footprint.

The researchers said that such devices are growing in popularity amongst cybercriminals due to their ability to evade immediate detection.

“IP-KVMs aren’t exclusive to North Korean insiders — ReliaQuest has seen them used by other users outsourcing work to low-wage countries to boost profits,” RelaiQuest noted.

“These outsourcers often juggle jobs at multiple companies and share many of the same tactics as North Korean operatives, making it tough to tell them apart.”