CrowdStrike exposes North Korea's covert workforce in US technology

North Korean attackers successfully posed as applicants and placed over 100 of their undercover team members primarily in U.S. companies in the aerospace, defense, retail and technology industries.

CrowdStrike's 2024 Threat Hunting Report reveals how North Korean nexus adversary FAMOUS CHOLLIMA leverages fake and stolen ID documents, enabling malicious state attackers to gain employment as remote IT workers, exfiltrate data, and conduct espionage undetected.

FAMOUS CHOLLIMA is affiliated with North Korea's elite Reconnaissance General Bureau (RGB) and Bureau 75, two of North Korea's most advanced cyberwarfare organizations. FAMOUS CHOLLIMA's specialty is disseminating insider threats on a large scale, illegally taking freelance or full-time equivalent (FTE) jobs to earn a salary that goes to North Korea to fund its weapons programs, while also conducting ongoing espionage.

“The most alarming aspect of the FAMOUS CHOLLIMA campaign is the sheer scale of this insider threat. CrowdStrike has notified over a hundred victims, mostly U.S. companies who unknowingly hired North Korean agents,” Adam Meyers, head of counterattack operations at CrowdStrike, told VentureBeat.

“These individuals infiltrate organizations, particularly in the technology sector, not to make contributions but to funnel stolen funds directly into the regime's weapons program,” Meyers said.

North Korea took the opportunity to exploit trust

“This increase in North Korean telecommuting activity shows how adversaries are exploiting trust in our telecommuting environment,” Meyers noted in a recent interview with VentureBeat.

Knowing that companies were letting their IT teams work from home by default and that public opinion in the US, Europe, Australia and the Asian continent was in favour of remote work, North Korea saw an opportunity to exploit the lack of scrutiny and security to its advantage.

Systematically attacking more than 100 companies to infiltrate them with malicious insiders and then selecting members of an elite team of attackers as part of the FAMOUS CHOLLIMA team to carry out an insider attack is unprecedented. It ushers in a new era of cyber warfare and must be a wake-up call for any company hiring remotely today.

“After COVID, remote onboarding became the norm, and so we've seen stolen identities used to pass security checks and get jobs, and then used to exfiltrate data or steal funds. Fifty percent of the cases observed by CrowdStrike were used for data exfiltration. The processes created to facilitate remote work are being weaponized against us,” he said.

Anatomy of North Korea’s insider attack

“Many still underestimate North Korea's cyber capabilities, dismissing it as a 'hermit kingdom.' But they have been investing in cyber talent since the late 1990s, with a strategic emphasis on STEM education from a young age. This latest, sophisticated campaign shows that they are not just a threat, but a sophisticated adversary that we must take seriously. We are only scratching the surface of their operations,” Meyers said.

As of 2023, FAMOUS CHOLLIMA initially targeted 30 U.S. companies in the aerospace, defense, retail, and technology sectors, posing as U.S. citizens applying for remote IT positions. Once hired, the attackers performed minimal tasks related to their position and attempted to exfiltrate data using Git, SharePoint, and OneDrive.

Malicious insiders also quickly installed Remote Monitoring and Management (RMM) tools such as RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop to maintain their persistence on the compromised network. After installing these tools, they were able to use multiple IP addresses to connect to the victim's system, appearing legitimate and blending in with normal network activity. The malicious insiders were then able to execute commands, gain a foothold, and move laterally within a network without immediately raising alarms.

CrowdStrike's report found that organizations are seeing a 70% increase in attackers' use of RMM tools year-over-year. RMM tool exploitation accounts for 27% of all manual endpoint attacks. Nowhere was this more evident than in North Korea's massive insider attack on more than 100 leading technology companies.

In April 2024, CrowdStrike Services responded to the first of several incidents in which malicious insiders from FAMOUS CHOLLIMA targeted more than 30 U.S.-based companies. North Korean agents pretended to be based in the U.S. and were hired for several remote IT positions in early 2023.

Earlier this year, several investigations into North Korean labor models and fraud were underway. By collaborating with broader ongoing investigations, CrowdStrike was able to identify FAMOUS CHOLLIMA insiders who had applied to or were actively working at more than 100 different companies, most of which were U.S.-based technology companies. The repeated detection of similar tactics, techniques, and procedures (TTP) across multiple incidents allowed CrowdStrike to identify a coordinated campaign.

The FBI and the Department of Justice have reacted quickly, but massive insider threats continue

On May 16 of this year, the Federal Bureau of Investigation (FBI) issued a warning to American companies that “North Korea is evading U.S. and UN sanctions by targeting private companies to illegally generate significant revenue for the regime.” The Department of Justice (DoJ) quickly took action against laptop farms that FAMOUS CHOLLIMA recently created by incentivizing two Americans.

The first indictment was filed on May 16 An Arizona woman was found to have given North Korea access to 300 IT firms. The second indictment was filed on August 8 against a man in Nashville, Tennessee, for operating a laptop farm that allowed members of FAMOUS CHOLLIMA to work undetected for months at a time, earning salaries that went directly to North Korea's weapons program. The indictment warns of the global scope of the group's activities, which span seventeen countries and eleven industries.

“Last week, the Department of Justice arrested a Tennessee man accused of running a laptop farm system that helped North Korean IT workers get remote jobs at Fortune 500 companies. This is consistent with activities that CrowdStrike tracked as FAMOUS CHOLLIMA,” Meyers told VentureBeat.