- Opera unveils impressive preview of AI agentic browsing - see it in action
- Aqara's first outdoor camera is this smart home enthusiast's dream device
- I've never lost a drone in over a decade of flying them - here's why
- The Firefox I loved is gone - how to protect your privacy on it now
- Salesforce’s AgentExchange targets AI agent adoption, monetization
North Korean Fake IT Workers Leverage GitHub to Build Personas
North Korean-linked hackers are pursuing the fake IT worker scheme with new tactics, according to human risk security company Nisos.
The firm is tracking a global network of IT workers posing as Vietnamese, Japanese and Singaporean nationals who are attempting to obtain employment in remote engineering and full-stack blockchain developer positions in Japan and the US.
In a March 4 report, it shared that it identified six personas – two of whom appear to have gained employment and four looking to obtain remote positions.
All are using GitHub to create new personas or reuse existing GitHub accounts and portfolio content from older personas to backstop their new personas.
North Korean IT Workers Fund Pyongyang’s Nuclear Programs
Nisos assessed that this network is likely part of the North Korean fake IT worker scheme based on a range of techniques, tactics and procedures (TTPs) that align with previously reported campaigns:
- Personas claim to have experience in three areas: developing web and mobile applications, knowledge of multiple programming languages and an understanding of blockchain technology
- Personas have accounts on employment and people information websites, IT industry-specific freelance contracting platforms, software development tools and platforms and common messaging applications, but they typically lack social media accounts, suggesting that the personas are created solely for the purpose of acquiring employment
- Profile photos are digitally manipulated: the IT worker’s face is often pasted on top of a stock photo to show the individual working with colleagues
- Personas within the network use similar email addresses
- Email addresses often include the same numbers, such as 116, and the word “dev”
Nisos assessed that the network’s objective is to earn cash to fund Pyongyang’s ballistic missile and nuclear weapons development programs.
These findings come a few weeks after reports of North Korean hackers stealing GitHub profiles to create fake IT worker personas in a new malware campaign targeting freelance developers with deceptive job advertisements and malicious software disguised as legitimate tools.
The campaign, linked to a threat actor called ‘DeceptiveDevelopment,’ uses fake websites, GitHub repositories and social engineering tactics to trick victims into downloading malware that can compromise their systems and steal sensitive information.
Nisos Threat Prevention Recommendations
The firm provided a list of recommendations for companies to avoid falling for this type of scheme.
These include:
- Ensuring applicants provide identification documentation in person to enable human resource teams to better identify falsified documentation
- Conducting a detailed review of the applicant’s online presence for consistency in name, appearance, work history and education before offering employment
Read now: US Uncovers North Korean IT Worker Fraud, Offers $5M Bounty
