Is your freelancer a nation-state hacker?

RSAC2022 tackles imposters

The Biden administration warned in May that the freelancer you hired to code may be a North Korean spy. These cyber spies are posing as remote, contract IT workers and infiltrating malware into all forms of networks

“In many cases, workers represent themselves as U.S.-based and/or non-North Korean teleworkers,” the advisory said. “The workers may further obfuscate their identities and/or location by subcontracting work to non-North Koreans.”

The North Koreans work in trade, technology, science and education. They provide funding for government programs including nuclear and conventional weapons. They target small to medium businesses (SMBs) making dating apps, online gambling programs, mobile and web apps, mobile games, general IT support, artificial intelligence apps, virtual reality and augmented reality programming, facial recognition technology and hardware development. In other words, everything.

In the past, North Korea has funded much of its nuclear weapons programs by selling hackers worldwide phishing and ransomware kits that require the buyers to turn over 50 per cent of their proceeds. However, security awareness and just plain market saturation is limiting the market for one-off hackers. The barrier to funding increased with the destruction of cryptocurrency value this past year. That has prompted North Korea to change its strategy to a long con with quick cash upfront.

North Korean ATM

The published guidance jointly issued by the Treasury Department, the FBI, the NSA and CISA said the spies send their paychecks directly to the government to finance weapons programs. “They can individually earn more than $300,000 a year in some cases, and teams of IT workers can collectively earn more than $3 million annually,” the advisory said. But their long-term goal is infiltrating the military, government and infrastructure that are serviced by SMBs.

SMBs lack in-house security staff due to budget restrictions, high competition for cyber employees and the desire of most workers to work from home. That makes low-cost, and often offshore contractors the best choice with little inspection.

CISOs that Cyber Protection Magazine contacted in the US, Canada and the UK said they have yet to see evidence of such infiltrations, yet. But several cyber intelligence vendors at the RSA Conference in San Francisco (#RSAC2022) reported seeing several instances of North Korean code popping up in startup apps.

The question is how can companies prepare for it, detect it as it happens, and fix any damage done to their networks.

The Biden administration said “red flag” indicators of suspect workers include inconsistencies in the spellings of their names, nationalities, work locations, contact information, educational and work histories, and other details in their social media profiles and the developers’ freelance platforms and portfolio websites.

No shortcuts

Properly vetting a candidate is crucial to protecting against fraud. Leslie Carhart, North American incident response director for Dragos, said that unprepared companies responding to an attack often rush the vetting process. She said they will search for services from big companies, then smaller companies, then people who they heard at a conference and all are overbooked.

“They keep crawling down the list until they find somebody who will say yes. But there are people out there who take advantage of that,” she explained. “I can totally understand how companies fall for that.”

Even if a company does sufficient due diligence, it can be tricked into hiring the wrong person. North Korean spies use VPNs to hide their real location and misattribution to mask their identities.

“This innovative approach allows organizations to allow a remote workforce and rely more on skilled contractors. Private VPNs enable and conceal malicious intent,” said Thomas Pore, Director of Security Products at LiveAction.

Misattribution cuts both ways

At #RSAC2022 Kevin Delaney, director of solutions engineering at Security Compass, warned of bait and switch job services. Some will stand in for the job seeker in Zoom interviews. So a potential employer doesn’t hire the person they interview.

Law enforcement uses misattribution to find cybercriminals, but it is also useful for this kind of infiltration. Then there are the commercial tools that facilitate misattribution.

Telos offers Ghost, a cloud-based, misattribution platform, is similar but more muscular than a VPN. The service hides “critical assets, data, devices, and personnel from adversaries,” according to Hugh Barrett, chief product officer for Telos. However, he admitted that criminals might use it to impersonate legitimate contractors. Barrett said the company “comprehensively vets potential customers.” He was unable to give no details on how that vetting is done. There are other companies providing similar tools, including several on the Dark Web. These tools make it easier for criminals to take advantage of victims who are in too much of a hurry to fill a position.

Another form of misattribution is “star jacking”. GitHub awards stars to developers with good reviews on their code. That gives hiring companies insight into the quality of a developer’s skill. According to Ravi Sharir, chief product officer for Checkmarx, hackers can steal stars and insert them into their own accounts.

Zero means Zero

All this means companies will have to employ tools and techniques to monitor and remove malware intrusions during development. Some of the companies that can do this include Checkmarx, Noetic and Fletch.

Grant Warnick, the Fletch CEO, said their technology can, within seconds, show all logins by location. “The attacker would likely be smart enough not to have a location that ties back to North Korea. Look for those logging in from locations you don’t recognize or multiple locations in a very short period of time”. That can be a red flag that the consultant is using misattribution.

In the end, it comes down to adopting a zero-trust philosophy and infrastructure regardless of resident or remote status.