Cyber Flash Point. Breaking News on Insider Threats to US Organizations
How would you know if a seemingly perfect employee was actually an imposter? Behind this facade was a North Korean operative, a meticulously trained spy. In Cyber Flash Point we cover Breaking News on Insider Threats to US Organizations.
Topics: Insider Threats to US Organizations, how to reduce insider threats, top news on insider threats to us organizations, top cyber flash points, Insider Threat, cyber flash point, how the drpk uses it workers for cybercrime, common insider risks in security, new types of insider risks in security, stories of insider risks in cyber security, surprising stories of insider risks in cyber security, how north korea uses cyber crime against us companies, how remote i.t. workers spy on us companies, how north korea uses it workers for cybercrime, insider threats, North Korean spy, stolen identity, AI-enhanced photos, background checks, interviews, exfiltrate sensitive information, endpoint detection and response, internal investigation, containment, vetting processes, security monitoring
Chapters
- 00:00 Introduction: The Threat of Insider Imposters
- 02:49 Infiltration: How a North Korean Spy Gained Trust
- 07:48 Detection: Unusual Network Activity Raises Red Flags
- 09:58 Containment: Preventing Further Compromise
- 13:38 The Reality of Insider Threats
- 21:46 Addressing Insider Threats: Collaboration and Vigilance
Takeaways
- Insider threats are a real and significant risk to organizations.
- Background checks and interviews may not be sufficient to detect sophisticated spies.
- Endpoint detection and response software can help detect and contain insider threats.
- Robust vetting processes and continuous security monitoring are essential to prevent insider threats.
- Collaboration between HR, IT, and security teams is crucial to address insider threats.
Sound Bites
- "How would you know if a seemingly perfect employee was actually an imposter?"
- "Behind this facade was a North Korean operative, a meticulously trained spy"
- "The truth unraveled though. Unusual network activity was the first clue"
Summary
The conversation discusses a real-life incident where a North Korean spy infiltrated a security awareness company by posing as a trusted employee. The spy used a stolen identity and AI-enhanced photos to pass background checks and interviews. The spy's mission was to exfiltrate sensitive information and funnel money back to North Korea.
The company's endpoint detection and response software detected the spy's activities, leading to an internal investigation and the containment of the device. The conversation also highlights the broader issue of insider threats and the need for robust vetting processes and continuous security monitoring.
TRANSCRIPT
ON AIR (00:02.666)
Hey, what if the person handling your company's sensitive information was actually a spy? How would you know? Do you think your organization is so sophisticated you would know if a seemingly perfect employee was actually an imposter? What measures do you have in place to prevent your organization from giving the keys to the castle to a threat actor? Today's CYBER FLASH POINT
is about how to reduce insider threats as we explore some brand new top news from insider threats to US organizations.
ON AIR (00:50.184)
insert the intro
ON AIR (00:56.694)
Hey, welcome everybody to cybercrime check is this your host David Mauro today I'm going to tell you a story that seems like it's ripped out of the pages of a spy now. But it's a chilling reality. Great credit goes out to know before the security awareness company and platform that many use and leverage for test fishing and other simulations. They've got the largest security awareness library on the planet.
But credit goes out to them for their transparency in their efforts to spread awareness and sharing this compromising kind of event because it happened to them. Now, keep in mind, before states clearly at the start that no, we have to hear the story. Please keep in mind there was no.
illegal access gained, no data was lost, compromised, there was no data breach, nothing was exfiltrated from any know before systems. It's not a data breach notification, there was not. It's really an organizational learning moment. And I really wanted to bring it to your attention. Because if it can happen to them, it can happen to almost anyone. So it began innocuously enough.
a job application from an experienced IT professional. His resume was impeccable. His references were glowing. He sailed through the interview process and soon became, you know, a trusted member of the team where they shipped him out a Mac laptop to his residence here in the US. And everything seemed on the up and up until it was.
Behind this facade was a North Korean operative, a meticulously trained spy whose mission was to exfiltrate and infiltrate the know before security awareness company.
ON AIR (03:11.434)
No before needed a software engineer. And they were developing an internal it AI team. They posted the job, they received resumes, they conducted interviews, they perform background checks, they verified references, and they hired the person, they sent them the Mac workstation. And when we think about what the hiring process involved, this is what
involved. The HR team conducted four video conference based interviews on various separate occasions. So it wasn't all done once. They confirmed that the individual matched the photo provided on their application. And additionally, a background check and all other standard pre hiring checks were performed. And they all came back clear. But here's
they had an identity that was stolen and that this person was using. So everything that would come back to that stolen identity came out clean because the identity that they stole was of somebody that had a clean record. Also, as you know, from our prior episode with William Woods, the damage that could be done when leveraging someone else's stolen identity is massive.
other story went on for decades. So here, back at Noble Four, this was a real person using a valid but stolen US based identity. The picture that they used was AI enhanced. So check out the different photos here. Here is the real picture. And here is the AI enhanced
Here's the real one. Here is the AI deep faked
ON AIR (05:16.012)
So the moment they shipped the MacBook out to the person in the US, that's when the red flags began. Because the moment it was received, it was immediately loaded with
ON AIR (05:36.864)
the employee, the former employee's aim was to be funneling sensitive information and the income that they would pay the person who they thought would be doing the work back to North Korea.
and they use handlers, would have these people called mules, right, and they create these laptop farms. They would ship the sensitive information and the income to these handlers. And it ultimately results in compromising national security, as well as corporate secrets. Keep in mind, North Korea is
banned country here in the US, right? They are an enemy. We don't trade with them. We don't have communication with them. And we have sanctions against them. Because we have sanctions, they use tactics like cybercrime and efforts like this in order to still siphon off money from the US.
What's kind of cool is the EDR, the endpoint detection response software that Novo4 was using, detected the malware that the person was downloading it and it alerted the Novo4 InfoSec security operations team, their SOC, security operations team, SOC, SOC. The SOC called the new hire and asked if they could help.
The truth unraveled though. Unusual network activity was the first clue, the first small red flag. And then when pieced together kind of revealed this terrifying extent of what was happening. An internal investigation led to a shocking discovery and that was that this trusted employee was actually a North Korean fake IT worker, a spy.
ON AIR (07:48.482)
in their midst. The EDR software detected it and alerted the SOC, right, who called and they asked for help. This all happened just last month, July 15, 2024. There was a series of suspicious activities that got detected starting at 9 .55 p Eastern. So later at night, when the alerts came back to the Know Before SOC team, they reached out to the user
to inquire about the anomalies. Anomalies are weird crap that happens, right? Things out of the norm. It's what socks and threat hunting is all about. The operative, the employee at the time, they responded to the sock that he was following steps on his router guide to troubleshoot a speed issue and that that might have caused
Some of the red flags are cause to compromise. The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a Raspberry Pi device to download the malware. The SOC kept trying to get more information and kept blocking all of his efforts.
The SOC attempted to get more details from him, including getting him on a call, but he said he was unavailable for a call. And then after that, disappeared. From that point on, that evening, he was unresponsive. By 10 20 p the SOC contained the device. They locked it down. So within a 20 minute time
The sock got him, caught him and contained it. That is good cybersecurity practice.
ON AIR (09:58.39)
How this works is
The fake worker asked to get their workstation sent to an address that is in the US. It's basically an IT mule laptop farm. They then VPN in from where they're actually physically located, which is North Korea or over the border to China. And they work the night shift over there so that it seems
like they are working in the US data.
The scam is that they're actually doing the work, getting paid well, and transferring a large amount of money and data and sensitive information, corporate trade secrets, et cetera, over back to North Korea and or China to fund their illegal programs. A lot of the cybercrime that is leveraged by North Korea
is used to fund the North Korean missile
ON AIR (11:13.696)
Now we don't have to tell you about the severity of the risk here. And it's good that we were able to kind of capture all of this right away. The controls, the security controls, the policies, practices that Novo4 had is really good. It caught it right away. I mean, it'd be great if they would have stopped it from ever receiving the laptop.
because as North Korea's or China's tactics get better, they might be able to do it without getting detected. We've seen that before. but still kudos to them. And more importantly too is kudos to them for sharing this and being transparent so that we can all learn from this. The EDR software detected it. It alerted their SOC. The SOC called them asked them can
whether they can help, it got dodgy fast. So, then, they shared the collected data with their friends over at Mandiant, that leading, brilliant cybersecurity group that works with, it's owned by Google now. I mean, they're a leading global cybersecurity expert. They're the ones that usually are able to trace down nation states, and they're just the best.
Also, also know before also communicated directly with the FBI to corroborate their initial findings and it all turned out to be accurate. And it turns out this was a fake IT worker located in North Korea. And this isn't just a story about one company or one spy. I think that's important. This is a wake up
cybersecurity is not just about technology. It's about people. Social engineering and insider threats are real. And they can happen to any company, no matter where you're physically located, even if you're an hour or so outside of Wichita, Kansas, this can and likely will be something that you'll have to face. It's dangerous, right?
ON AIR (13:38.674)
And it's, it's not the only incident. So check this out. So the Office of Public Affairs, the US Department of Justice released a press release just a couple months ago, talking about the Justice Department announcing arrest, premises search, seizures of multiple website domains to disrupt illegal revenue generation efforts of
Democratic People's Republic of Korea, the DPRK. So what they did is they caught all of these IT fake workers and this IT laptop farm. So they announced a series of coordinated and court authorized actions disrupting illicit, illicit revenue generation efforts by North Korea, the DPRK.
RK.
under the guise of information technology workers. This was a department wide initiative. And what they were doing is under the initiative, they launched it back in March, the National Security Division and the FBI Cyber and Counterintelligence divisions, along with Department of Justice prosecutors prioritized
identification and shutting down of US based laptop farms, which are locations hosting laptops provided by victim companies to who they believe are employees. They're also prioritizing investigations and prosecutions of US based witting enablers as appropriate. Those are like the mules the people
ON AIR (15:33.652)
located here in the US that are helping. They're also partnering up with like -minded countries, like in the UK, Australia, places like that, that are also subject to hosting these IT worker support networks. And they want to improve how fast they catch them. They want to improve speed, tempo, and content of notifications to victims.
If you recall, if you've been a listener of our podcast for a couple of years, you'll recall two years ago, we reported on this. We reported on a FBI alert on how employees were applying for remote IT work and getting hired by companies and them basically handing them the keys to the castle. If you go back to one of
first 10, 15 episodes, we talked all about it. So this has been going on for a while, but now the efforts have been expanded and they're creating these entire IT laptop farms, hosting them in the US. But what was amazing about this is they talk about a an entire takedown that happened just a couple months ago.
the individual, Vong, V -O -N -G, was arrested with a US passport and a Maryland driver's license. And then there was a different individual had appeared in an earlier interview for the same position. Check that out. And then later for work meetings during the course of Vong's employment.
That individual, charged as a John Doe in a criminal complaint, is a native of North Korea and a self -described software engineer who claimed to be living in Shenyang, China. So as they allege in the complaint, throughout the course of Vong's employment with a US company, the remote IT workers based overseas performed all of his job duties
ON AIR (17:58.976)
by accessing protected victim computer systems via VPN, right? They just VPN and act like him and do the work. And then they would pose as him on work -related video conferences. Vong also shipped one or more laptops from his location in the US over to addresses in China.
Vong also received payment from the US company and other employers, which was then transmitted to individuals located overseas, keeping a percentage for himself. So what this shows is exactly specific details of the laptop farms, the mules, all of the FBI agencies involved
15 different states and how they are funneling all of this back. So how are you supposed to, what are you supposed to do as a business leader or a business owner? Well, the tips that they point out to help you prevent this are the following. Scan your remote devices to make sure that no one remotes into those devices, right? Conduct better vetting of
potential employees, right? Making sure that they're physically where they're supposed to be. Better resume scanning for career inconsistencies. Because in hindsight, Noble Four acknowledges that there were some inconsistencies between addresses and dates, and they could have checked that stuff. And get these people on video camera and ask them about the work they are doing, right? The laptop shipping address.
should be different from where they're supposed to live and work. And if that's the case, that's a red flag. Right? And that's really important. Process improvements that are recommended are the following. Background check appears inadequate names used were not consistent. references potentially not properly vetted. Don't rely on email references only.
ON AIR (20:18.718)
actually speak live to the person. So you can ask follow up questions and you can assess tone of voice, et cetera. Implement enhanced monitoring for any continued attempts to access systems, review and strengthen access controls and authentication processes, and clearly conduct security awareness training for employees emphasizing social engineering tactics like this. Things to look out
that we can learn from this event that Noble Four points out is the use of VoIP numbers and lack of digital footprints for providing contact information. That's really key. Discrepancies in the address and the date of birth across different sources. Conflicting personal information, marital status, family emergencies, explaining unavailability, sophisticated use of VPNs.
or virtual machines for accessing company systems. Any attempts to execute malware or subsequent cover -up efforts? Clearly, obviously. Here, the subject demonstrated a high level of sophistication and created a believable cover identity, exploiting weaknesses in the hiring and background check processes and attempting to establish a foothold within NOVA 4 systems.
So one thing we all have to keep in mind here is this is a well organized state sponsored large criminal ring with extensive resources. This whole incident highlights a critical need for more robust vetting processes, continuous security monitoring, improved coordination between HR, IT and security teams. And again,
check out the difference in the photos, right? The one to the left is the real person, the one to the right is what was submitted in. So that is what is a perfect example of this. In a world today where the lines between cyber and physical threats blur more than ever, vigilance is what it's all about. It's the best defense.
ON AIR (22:45.378)
Like let's let this story be a catalyst for action. Let's strengthen our defenses, protect our data and remember sometimes the greatest threats come from within.
