Palo Alto Networks’ Unit 42 recently disclosed the details of North Korean threat actors who are intricately involved in schemes to deceive both employers and job applicants in the form of fake job recruiters and seekers. These schemes are part of larger campaigns known as “Contagious Interview” and “Wagemole” through which the threat actors aim to gain financial profit and potentially infiltrate Western organizations.
In the Contagious Interview campaign, the North Korean threat actors pose as employers by posting fake job openings and engaging with unsuspecting applicants. During the vetting process, they persuade the applicants to install highly sophisticated infostealers across different platforms. On the other hand, the Wagemole campaign involves the threat actors masquerading as job seekers and applying for jobs at well-established organizations in the US and other countries.
Michael Sikorski, Chief Technology Officer and Vice President of Unit 42, emphasized that these elaborate ruses are a more convincing method of social engineering compared to standard phishing emails. He noted that people are bombarded with numerous emails every day, and these campaigns are an attempt to make the deception appear more realistic to the unsuspecting victims.
The Democratic People’s Republic of Korea (DPRK) has a history of engaging in espionage and financial cybercrime, apart from traditional cyber theft. For instance, state-sponsored hackers have previously posed as high-tech job recruiters to entice skilled employees into prolonged engagements, ultimately leading to malware attacks. Last year, these tactics resulted in the theft of over half a billion dollars from Axie Infinity, a popular Web3 pay-to-play game.
Since at least March, the threat actors behind Contagious Interview have been posting vague job openings for software developers or positions tailored to the AI and Web3 fields. Once initial contact has been made, the applicants are invited to an online interview where they are sent a malicious npm-based package containing infostealers. These infostealers target system information, credit card details, and cryptocurrency wallet information, posing substantial risks to victims.
Of particular concern is the fact that these sophisticated infostealers work across various operating systems, including Windows, Linux, and macOS. According to Sikorski, the primary aim of these malware attacks may not solely be financial gain and espionage, but rather to gain a foothold in the target system for potential future infections within other companies.
Furthermore, the DPRK threat actors have also been known to pose as job applicants seeking remote work in the tech space. Through a complex web of fake resumes, email correspondence, and social media interaction, these actors manage to secure work under false identities and divert their earnings back to the Kim regime. The researchers discovered evidence of this scheme through their investigation of the GitHub infrastructure behind Contagious Interview.
Additionally, the US Department of Justice recently advised companies to exercise caution and verify the identities of potential employees due to the prevalence of these deceptive schemes. The risks posed by having a state-sponsored actor within a company are substantial, especially in the case of software developers who have access to proprietary source code.
In conclusion, the activities of North Korean threat actors in posing as fake job recruiters and job seekers on the internet underscore the evolving tactics used by malicious actors to deceive organizations and individuals. As technology continues to advance, it is crucial for companies and job seekers to remain vigilant and employ robust security measures to protect against such deceptive schemes.