Researchers from Microsoft have uncovered that a North Korean hacking group, known as Sapphire Sleet, has pilfered over $10 million in cryptocurrency through an elaborate LinkedIn-driven social engineering scheme. Over six months, operatives associated with the hermit nation executed operations leveraging fake LinkedIn profiles while pretending to be both recruiters and job seekers.

Clever Impersonation and Malware Tactics

Sapphire Sleet, with ties to the well-known APT38 and BlueNoroff groups, has been active since at least 2020. This threat actor has skillfully crafted an infrastructure that mimics skills assessment platforms to deceive targets. One prevailing tactic sees the attackers feigning venture capital interest in a target company, arranging virtual meetings that lead the victim to interact with compromised support channels. Victims who engage with these fake support channels receive malicious scripts tailored to their operating systems—either AppleScript or Visual Basic Script—to ostensibly fix access issues. These scripts instead download malware to the victim's system, enabling attackers to steal credentials and cryptocurrency wallets.

Masquerading as Financial Recruiters

Microsoft reports that Sapphire Sleet has masqueraded as recruiters from prestigious firms, including Goldman Sachs, on LinkedIn. The objective is to entice targets to undertake skills assessments on websites controlled by the attackers, which results in malware infections when the target accesses these fake platforms.

Broader Implications of North Korean IT Operations

Beyond direct cyber theft, North Korea employs a multi-pronged strategy involving the deployment of IT workers internationally. These workers generate revenue for the country through legitimate means, employ their access to exfiltrate intellectual property, and engage in data theft for ransom. Given the difficulty for North Koreans to obtain external banking or telecommunication services, these operations frequently involve facilitators to circumvent such barriers.

AI Tools Fueling Deception

These IT operatives have also turned to artificial intelligence tools such as Faceswap to modify photographs and documents, adding a veneer of professionalism to fraudulent LinkedIn and GitHub profiles. This tactic bolsters their job applications and recruitment efforts. Additionally, North Korean operatives have been testing AI-driven voice-altering software to enhance their deceitful practices. Through these comprehensive operations, which also monitor financial gains meticulously, North Korean IT workers have reportedly accrued an additional $370,000 from freelance platforms, highlighting their ongoing and evolving threat abilities.

The link has been copied!