What happened
The Democratic People's Republic of Korea (DPRK) has increasingly relied on cyber operations to generate revenue and gather intelligence. Whilst they are already synonymous with tactics of direct extortion of eye-watering amounts of digital funds (unofficial estimates of up to $4B USD aren’t uncommon), and their preference of phishing campaigns that they spread far and wide, a particularly insidious tactic is emerging of infiltrating companies by placing their own operatives within Software Developer teams (simply referred to as Devs). They’re objectives include siphoning of funds by any means possible, including the salary they’re paid, extracting intelligence and even extend to nepotism by successfully referring other DPRK associates into obtaining contracts with the same protocol, thus increasing the risk (to the victim organization) and reward to North Korea's deposit accounts.
The increased use of developers has accelerated software delivery but also introduced new security vulnerabilities. DPRK likely recruits individuals with strong technical skills, training them rigorously in cybersecurity, crypto and social engineering. These operatives are then positioned within target organizations. In the example below, the worker contacted the organization directly via Discord. Other methods have been via diplomatic channels or front companies. They will also likely work for multiple companies, thereby receiving multiple salaries, all flowing into the coffers of DPRK accounts.
A recent example has reared its head at DeltaPrime, a popular and successful decentralized borrowing and investing ecosystem. This case actually identified, not one, but three DPRK associates working as Dev personnel for the protocol. The compromise was discovered by ZachXBT, who describes himself as a “Scam survivor turned 2D investigator”. ZachXBT has a knack for outing DPRK Tactics, Techniques, and Procedures (TTPs) and highlighting his findings on X to assist tech, cyber, and DeFi communities to reduce the risks of compromise from such threats.
By researching a $1.3M USD theft of funds, ZachXBT followed the flow of funds and uncovered a cluster of addresses receiving transfers from multiple sources and traced these back by identifying the multisigs to a number of tech/DeFi protocols, including DeltaPrime. Prior to posting publicly about his research, ZachXBT reached out to alert the organizations, including, in this case, DeltaPrime. When alerted to the fact, DeltaPrime, supported by zeroShadow, sprung into action, triggering the pre-existing Incident Response Plan (IRP) already in place between the two teams. These plans ensure a timely and efficient response to incidents where areas such as the security of data, loss of funds and potential systems or wallet compromise are so time critical that every minute counts. With immediate 24/7 direct contact to all TORCH subscribing customers via various channels, zeroShadow is able to implement any pre-agreed actions when such instances occur.
The initial actions agreed between DeltaPrime and zeroShadow’s Incident Response team included immediately blocking the IT workers’ access to all accounts (including GitHub), rotating all passwords and private keys, killing any active sessions and reviewing all event logs. Although all code created by the workers was checked at the time of its submission, that and any other code they had access to is undergoing a full audit by external partners. After confirming there were no other imminent risks to the project from these three workers, DeltaPrime promptly informed their community on Discord.
DeltaPrime confirmed that the three had directly contacted them seeking employment via Discord and Telegram. The workers had been at DeltaPrime for 18 months, 8+ months and 6 months respectively having all verified themselves using fake IDs. All had been hard workers and gave no cause for concern with their work practices. They’d attend video conferences, respond to emails in a timely manner and all code submitted was on point. DeltaPrime even gave them credit for being “great programmers”, but expressed concern that the insider threat was very capable and were likely biding their time for a big payday in terms of a private key compromise, all whilst claiming a salary, by crypto of course, to pass on to their state sponsored superiors.
It was these crypto-based payments that led to the DPRK embedded employees being discovered. An exchange deposit address was identified that was receiving funds from a hacked protocol that had been paying the salary of a Dev that then flowed into an exchange account associated with Sim Hyon Sop (an OFAC sanctioned DPRK national associated with IT Workers). He was then able to use the payment addresses for this dev to trace forward to the cluster 0xb721adfc3d9fe01e9b3332183665a503447b1d35 (in his thread) and then trace backwards to 21 other developers working at unsuspecting organizations.
The full post from ZachXBT can be found here.
Analysts at zeroShadow quickly carried out research to prove, beyond all reasonable doubt, that the KYC onboarding documents provided by the staff members were fake. The workers had sent their KYC details to DeltaPrime by way of photographs or screenshots of utility bills and Identification cards. A closer and lengthy inspection of the documents identified indications that they could be fake. The energy company on the utility bill for instance, didn’t exist by the entity shown on the bill for the period in time that the bill covered. The Identity card was also outed as a fake when compared to current identity cards provided by the state the worker claimed to be from. In this case, Canada, who had updated the format of their ID cards at a time that pre-dated the ID card provided by the malicious staff member.
A list of fake names and identities suspected of being DPRK associates was compiled and shared by ZachXBT:
Don't let it be your protocol
The threat posed by DPRK-backed Dev staff highlights the critical need for robust cybersecurity and heightened due diligence of new hires. By understanding the adversary's tactics and implementing proactive measures, organizations can significantly reduce their risk of falling victim to this sophisticated cyber threat.
The below are indicators that DPRK associates may have approached, or even be working for a protocol:
The workers have a tendency to refer each other for roles, thereby increasing their income from a single victim organization. If that protocol has already accepted one DPRK associate into their fold, there’s a higher probability that they would take on another, than to try afresh with a new company who might take a more robust approach to the vetting of their contractors.
The candidates will likely have great looking resumes including plenty of GitHub activity, although their previous employment record may be fictitious, or exaggerated. This should allow potential new employers the ability to probe, ideally by reaching out to the claimed former protocols for clarification.
The staff will appear to be confident in submitting their personal details for onboarding vetting purposes but will likely submit fake IDs in the hope that teams do not investigate further. This can be a time consuming and difficult process, one that zeroShadow has a proven track record of success in and can assist organizations with.
The DPRK associates that were discovered all claimed to hail from locations other than North Korea. It’s not exactly a place that staff are often sought from! Research into these locations, backed up by questions to the candidates should allow a potential recruiter to form their own opinion on whether the locality given is accurate.
Should the Developer be relieved of their position, for whatever reason, there is a likelihood that new accounts of persons looking for work will emerge and look to contact that protocol. Before reaching out, it’s important to consider how long a job search profile or account has been active.
The new hires may initially perform more than adequate tasks but typically start to underperform as they look to simply reap the salaries from the position, rather than progress in the role.
The previous examples uncovered had a strong preference for using popular NFT profile pictures (pfps) and would speak with an obvious Korean (Asian) accent, that doesn’t necessarily fit with the locations they claim to hail from.
It’s advised to keep these indicators in mind as part of due diligence when vetting potential hires. Another recommended way to highlight any potential insider threat is to regularly review event logs and Security and Incident Event Management software for any irregularities since these new hires commenced work.
The swift actions taken by DeltaPrime with the assistance of zeroShadow prevented a potentially costly loss to the protocol and anyone who finds themselves in a similar situation, or with suspicions regarding any staff should consider approaching zeroShadow for advice.
Further advice released by OFAC in 2022 can be found here.
Original article by the zeroShadow team
Comments