Bonjour, Fellow IT Workers

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Kroll .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

Fraudulent North Korean IT workers are pivoting into new regions as it becomes more difficult for them to get jobs in the United States. The bad news is they are also employing new tactics that make them more dangerous. 

For several years North Korea has used IT workers to raise revenue for the regime in addition to its cryptocurrency hacking efforts. These workers use fake identities and seek legitimate remote jobs across a range of industries. They are paid wages, but also leverage their privileged access to enable cyber intrusions. 

In a report released this week Google's Threat Intelligence Group said North Korean IT workers were widening their global operations, with a "notable focus" on Europe. This report, and similar research from insider risk management firm DTEX, were covered by Catalin Cimpanu in our sister publication Risky Bulletin. Catalin's write-up covers the history of the IT worker scam, who has been affected and resources to help identify potential North Korean workers.

We won't rehash that, but will instead focus on some specific elements we found noteworthy.

The good news is that Google suggests the pivot to Europe is "likely" because of "challenges in seeking and maintaining employment" in the US. It cites increased public awareness, indictments and right-to-work verification challenges as possible factors. So the actions of US authorities seem to be making some difference. Yay!

Although increased focus on Europe appears to be in response to US government action, other shifts in North Korean behaviour seem to stem from improved processes. For example, Google says that North Korea is ramping up its extortion operations:

GTIG [Google Threat Intelligence Group] assesses that since late October 2024, IT workers have increased the volume of extortion attempts and gone after larger organisations. In these incidents, recently fired IT workers threatened to release their former employers' sensitive data or to provide it to a competitor. This data included proprietary data and source code for internal projects. The increase in extortion campaigns coincided with heightened United States law enforcement actions against DPRK IT workers, including disruptions and indictments.

Although Google says the increase in extortion coincides with the timing of US authorities taking action, we think adding extortion to North Korea's revenue streams just makes sense. So it isn't necessarily a reaction to pressure from law enforcement agencies. 

From a helicopter view, North Korea has been using three different techniques to convert its workers' employment into money: by earning a wage; by enabling hacking operations; or through extortion. 

If the employer is not a cryptocurrency-related business, hacking operations are unlikely to pay off in a big way. Two viable options remain: wages or extortion. These aren't mutually exclusive. It seems to us that the best strategy to maximise revenue while minimising effort is to do the bare minimum till the worker is fired, then extort the firm.

It also appears that North Korean workers may be attempting to enable supply chain hacks. Per CyberScoop :

Once a North Korean national is hired and starts the employment onboarding process, they move quickly to further infiltrate the organisation. 

They move into virtual desktop infrastructure environments, using access granted from one entity to pivot to a third party, often a trusted partner.

"That opens up the whole threat of the supply chain being infiltrated, and that's a very, very complex problem," [DTEX co-founder and CEO Mohan] Koo said. 

The opportunity for a big payday via a supply chain hack could explain another curious observation by DTEX: sometimes North Korean IT workers are standout performers. 

It appears from DTEX's observations that for certain jobs teams of North Koreans are working in shifts for a particular job. Per CyberScoop : 

With multiple people performing tasks assigned to one person, pulling in assistance from thousands of experts in any given field, these employees may become a rock star in the eyes of their employer. To the organisation, it looks like their best employee is doing an inordinate amount of work.

These 'employees' may work four or five days in a row before logging out. DTEX observed one stretch of activity that lasted for three weeks. We are pretty sure that North Korea is not getting paid extra for its all-nighters, it is not clear from the report what the purpose of all this hard work is. 

Risky Bulletin notes: 

The problem is far larger than people realize and primarily impacts large corporations where HR departments are in constant need of new IT workers or startups that lack proper hiring procedures and are desperate for cheap labor.

That sounds like … well … a lot of IT, actually. And it certainly feels like North Korea is evolving its tactics faster than authorities and employers are responding. 

In other words we're reluctant to take a glass half full view of North Korea's pivot to Europe.

Signalgate Is a Massive Security Failure

The Trump Administration's widespread use of Signal for high-level discussion has almost certainly gifted adversary nations an intelligence bonanza.

When we covered the administration's use of Signal to discuss military strikes we wondered if similar chats focused on different subjects existed and… of course they do. On Sunday, The Wall Street Journal wrote :

Two U.S. officials also said that Waltz has created and hosted multiple other sensitive national security conversations on Signal with cabinet members, including separate threads on how to broker peace between Russia and Ukraine as well as military operations. They declined to address if any classified information was posted in those chats.

This is consistent with last week's leak , in that these Signal group chats contain two different types of sensitive information. The first relates to military operations and is formally classified when it contains details including dates, times, weapons systems and targets. It is easy to see how an adversary nation could use this information to obtain a tactical military advantage if it were available to them. Lives are literally at stake. 

The second type of sensitive information in these chats includes the policy debates occurring between cabinet members. These discussions are not formally classified, but intelligence about them can be tremendously valuable for adversaries.  

Let’s spell it out with this example: The cabinet's discussions about brokering peace between Russia and Ukraine. Intelligence from these chats would give Putin insight into what Trump was thinking and therefore give Russia a tremendous advantage in any negotiations. This is top-tier strategic intelligence.

While these discussions are not necessarily classified, it is a really dumb idea to hold them in places where foreign intelligence services (FIS) can get access to them. Like, really, really dumb. 

If we weren't already, let us be very clear: Signal is just not appropriate for these conversations. It protects messages as they are sent by encrypting them, but that's just one aspect of protecting state secrets. Despite its encryption, Signal conversations remain vulnerable because the computers and smartphones the app is running on are hackable and, most importantly, connected to the internet. 

In June 2023, for example, Russian cyber security firm Kaspersky reported a four-year-long campaign that compromised iPhones with a 'clickless' exploit. The spyware in that campaign was installed via an iMessage with a malicious attachment, was completely invisible to the phones' user and required no user interaction. All the attacker needed was the device's number and boom, access to anything stored on the phone. Russia's Federal Security Service said "several thousand" phones were infected and blamed the National Security Agency for the hack. 

These kinds of phone exploits aren't even restricted to state actors. Israeli spyware vendors including NSO Group and Paragon Solutions have also used clickless phone exploits. It would be foolish to assume Russian and Chinese state hackers do not have similar capabilities. 

Again, let's be clear: It is very, very likely that spyware like this was present on at least one of the dozens of civilian devices that was being used to participate in these Signal discussions.

The only way to protect these types of discussions is to hold them somewhere that isn't accessible via the internet such as on secure systems attached to private networks. That isolation mitigates a whole range of threats including magic clickless exploits, spear phishing and even accidentally adding a journalist to a group chat. 

Having to use special secure systems comes with costs. It is inconvenient and slow and means that the administration will be less agile when dealing with fast-moving issues. But using Signal on insecure devices is worse. They need to stop before they cause even more damage . 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. €1.3 billion for European tech sovereignty: The European Commission announced that it will invest the funds in critical technologies that are important for Europe's tech sovereignty. Priorities include cyber resilience, generative AI, digital skills and an EU digital identity wallet . We are skeptical about governments backing winners, but having alternative tech platforms to pick from would be good news. 
2. £3 million fine for security failings: The UK's Information Commissioner's Office has fined the Advanced Computer Software Group for not implementing appropriate security measures such as multi factor authentication prior to a 2022 ransomware attack. In that attack, the LockBit ransomware group stole the data of nearly 80,000 people and also disrupted the National Health Service's 111 urgent care phone service .     
3. The USD$33m SIM Swap: US telco T-mobile has agreed to pay USD$33 million in damages to Joseph "Josh" Jones after he had cryptocurrency worth about $38 million stolen following a SIM swap attack . Jones had placed an eight-digit security PIN on his T-mobile account, but a T-mobile employee still ported Jones' phone number to a SIM controlled by the attacker.

Sponsor Section

In this Risky Bulletin sponsor interview Ed Currie from Kroll Cyber talks to Tom Uren about the recent hack of the Gravy Analytics geolocation data provider. He explains the hack and how geolocation data can be used by malicious actors.

The Kroll team takes a look at the cyber risks emerging from leaks at data analytics and aggregators, using the recent leak of geolocation data from Gravy Analytics as a case study .

Gravy Analytics Geolocation Hacking Analysis | Cyber Data and Resilience| Kroll

Gravy Analytics’ geolocation data highlights the emerging threat of geolocation vulnerability and its potential impact on physical security. High-profile individuals are now more than ever reassessing the extensiveness of their personal security measures, especially in the aftermath of incidents such as the UnitedHealthcare CEO shooting. Read More

Kroll

Russia Ukraine Cyber Embuggerance Continues

Over the last few weeks there have been attacks in Ukraine and Russia that illustrate the usefulness and limitations of disruptive cyber operations.

On Sunday March 20 Ukraine's state railway system was hit by what it calls a "massive targeted cyber attack" that took down its online ticketing system. Per Risky Bulletin : 

The incident took place on Sunday night. In a Facebook post, Ukrzaliznytsia blamed the incident on "the enemy," a term Ukrainians use to describe Russia.

The company's website is currently down, and officials are restoring from backups. The incident was very likely a data wiper attack, which Russian hackers have employed on numerous occasions since Russia's invasion in February 2022.

Since then, both Russia's state-owned railway and the Moscow subway system have been disrupted by suspected cyber attacks. Risky Bulletin reports :

Travelers were unable to access official websites and apps and purchase tickets. Both incidents are believed to be DDoS attacks and the work of Ukrainian hacktivists.

In isolation, it is hard to see how any of these cyber incidents will move the needle when it comes to the war. Is 'cyber war' just long queues to buy train tickets?  

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at all the strands of evidence that make people think NSA is a top-tier cyber actor.

Or watch it on YouTube!

From Risky Bulletin :

Hackers abuse secret WordPress feature you'll probably want to disable: Hackers are abusing a little-known WordPress feature named Must Use Plugins to install and hide malware from site administrators.

Also known as mu-plugins, the Must Use Plugins feature was added to the WordPress CMS in 2022.

According to GoDaddy's Sucuri security team, threat actors began abusing Must Use Plugins since at least February this year . That abuse has now gotten worse.

[ more on Risky Bulletin ]

France runs phishing test on 2.5 million students: The French government conducted last week a large-scale phishing test on over 2.5 million middle and high school students.

The test included a link in their school's digital workspace that advertised cheats and cracked games that redirected students to a phishing awareness video .

According to CNIL , France's privacy watchdog, over 210,000 students clicked the link, representing roughly one in twelve students.

The phishing test was named Operation Cactus and is—to our knowledge—the largest phishing test conducted to date.

[ more on Risky Bulletin ]