CrowdStrike 2024 report exposes North Korea’s covert workforce in U.S. tech firms

North Korean nation-state attackers were successfully posing as job applicants and have placed more than 100 of their covert team members in primarily U.S.-based aerospace, defense, retail and technology companies.

CrowdStrike’s 2024 Threat Hunting Report exposes how North Korea-Nexus adversary FAMOUS CHOLLIMA is leveraging falsified and stolen identity documents, enabling malicious nation-state attackers to gain employment as remote I.T. personnel, exfiltrate data and perform espionage undetected.

Affiliated with North Korea’s elite Reconnaissance General Bureau (RGB) and Bureau 75, two of North Korea’s advanced cyberwarfare organizations, FAMOUS CHOLLIMA‘s specialty is perpetuating insider threats at scale, illicitly obtaining freelance or full-time equivalent (FTE) jobs to earn a salary funneled to North Korea to pay for their weapons programs, while also performing ongoing espionage.

“The most alarming aspect of the campaign from FAMOUS CHOLLIMA is the massive scale of this insider threat. CrowdStrike notified over a hundred victims, primarily from U.S. companies who unknowingly hired North Korean operatives,” Adam Meyers, head of counter adversary operations at CrowdStrike, told VentureBeat.

“These individuals infiltrate organizations, particularly in the tech sector, not to contribute but to funnel stolen funds directly into the regime’s weapons program,” Meyers said.

North Korea seized an opportunity to exploit trust

“This surge in North Korean remote work schemes activity highlights how adversaries are exploiting the trust of our remote work environment,” notes Meyers in a recent VentureBeat interview.

Knowing corporations have standardized on having their I.T. teams remote, and how public opinion in the U.S., Europe, Australia and on the Asian continent favors remote working, North Korea saw an opportunity to exploit the lack of verification and security to its advantage.   

Systematically targeting more than 100 companies to infiltrate with malicious insiders, and then screening members of an elite team of attackers to be part of the FAMOUS CHOLLIMA team to lead an insider attack is unprecedented. It signals a new era in cyber warfare and needs to be a wake-up call to any business doing remote hiring today.

“After COVID, remote onboarding became the norm, and thus we’ve seen stolen identities being used to pass security checks and land jobs and then used to exfiltrate data or steal funds. Fifty percent of the cases CrowdStrike observed were used for data exfiltration. The processes created to facilitate remote work are being weaponized against us,” he said.

Anatomy of North Korea’s insider threat attack

“Many still underestimate North Korea’s cyber capabilities, dismissing them as a ‘hermit kingdom.’ But they’ve been investing in cyber talent since the late 1990s, with a strategic focus on STEM education from a young age. This recent sophisticated campaign shows that they’re not just a threat but a sophisticated adversary that we must take seriously. We’re only scratching the surface of their operations,” Meyers said.

Starting in 2023, FAMOUS CHOLLIMA initially targeted 30 U.S.-based companies from aerospace, defense, retail and technology, claiming to be U.S. residents applying for remote IT positions. Once hired, attackers did minimal tasks related to their job role while attempting to exfiltrate data using Git, SharePoint and OneDrive.

Malicious insiders were also quick to install Remote Monitoring and Management (RMM) tools, including RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels and Google Chrome Remote Desktop to maintain persistence within the compromised network. After these tools were installed, they were able to use multiple IP addresses to connect to the victim’s system, appearing legitimate and blending into normal network activity. The malicious insiders could then execute commands, establish footholds and move laterally within a network without raising immediate alarms.

CrowdStrike’s report found that organizations are seeing a 70% year-over-year increase in adversary use of RMM tools. RMM tool exploitation accounts for 27% of all hands-on-keyboard intrusions on endpoints. Nowhere was that more evident than in North Korea’s massive insider threat attack across more than 100 leading technology firms.  

In April 2024, CrowdStrike Services responded to the first of several incidents in which FAMOUS CHOLLIMA malicious insiders targeted more than 30 U.S.-based companies. North Korean operatives claimed to be U.S. residents and were hired in early 2023 for multiple remote I.T. positions.

Multiple investigations were in progress earlier this year into North Korean work schemes and fraud. By collaborating with broader ongoing investigations, CrowdStrike was able to identify FAMOUS CHOLLIMA insiders applying to or actively working at more than 100 unique companies, most of which were U.S.-based technology entities. The repeated detection of similar tactics, techniques, and procedures (TTP) across multiple incidents enabled CrowdStrike to identify a coordinated campaign.

FBI, DOJ took swift action yet large-scale insider threats continue

“Last week, the Justice Department arrested a Tennessee man accused of running a laptop farm scheme that helped North Korean I.T. workers secure remote jobs at Fortune 500 companies. This is consistent with activity that CrowdStrike has tracked as FAMOUS CHOLLIMA,” Meyers told VentureBeat.