Microsoft has issued a serious warning regarding the North Korea-aligned group Jasper Sleet, which is reportedly exploiting the model of remote hiring to infiltrate cloud environments by masquerading as legitimate IT professionals. By assuming false identities and leveraging trusted access, these operatives pose a significant threat to organizations worldwide.
The rise of remote work, accelerated by the COVID-19 pandemic, has led many companies to expand their hiring practices. They now often recruit globally, perform online identity verification, and complete onboarding processes entirely remotely. This shift has inadvertently opened the door for malicious actors like Jasper Sleet, who utilize a range of sophisticated tactics to deceive companies into hiring them as contractors or employees.
Jasper Sleet operates as a well-coordinated scheme that engages in impersonating IT workers using stolen or fabricated identities. This group is adept at employing generative artificial intelligence to polish resumes, create bespoke job applications, and mimic the language typically used in the industry. By crafting AI-driven content, they present themselves as highly suitable candidates capable of passing automated resume screening, recruiter assessment, and initial interviews.
During the job discovery phase, Jasper Sleet’s operators systematically scour corporate career portals and public job boards, focusing particularly on remote technical roles, especially in cloud computing and IT. Microsoft has reported that these actors utilize generative AI at an extensive scale to analyze job postings, extracting essential skills and required tools for specific roles. The attackers then create tailored CVs and cover letters that mirror the language of the job descriptions, significantly enhancing their chances of being selected for interviews.
In today’s job market, many organizations showcase their vacancies through Human Resource Software as a Service (HR SaaS) platforms like Workday, which allow external career sites and related APIs. Microsoft has identified that Jasper Sleet infrastructure makes repeated calls to Workday’s recruiting APIs to find and apply for numerous roles simultaneously. While legitimate applicants may also access these endpoints, the attackers often use multiple accounts and exhibit patterns of automated job discovery, raising red flags among cybersecurity experts.
Once these fraudulent workers gain entry into the recruitment pipeline, they interact with hiring teams through popular communication platforms such as Microsoft Teams, Zoom, or Webex. Microsoft recommends that organizations utilize advanced hunting features within Microsoft Defender and integrate it with cloud apps, including Workday and conferencing platforms, to detect suspicious activities. These may include identifying external accounts, monitoring risky IP ranges, or recognizing unusual document-signing behaviors during the hiring process.
Upon being hired, these impersonators acquire genuine corporate identities along with access to critical Software as a Service applications like SharePoint, OneDrive, and Exchange Online. They can exploit these resources to steal sensitive data or establish long-term access to the organization’s network, thereby putting company information at significant risk.
After onboarding, anomalies have been recorded involving newly hired Jasper Sleet operatives who log into Workday accounts from known infrastructure linked to these malicious actors. Alarmingly, many of these new hires change payroll details shortly after receiving access, redirecting their salaries to accounts under their control. Microsoft has documented spikes in “impossible travel” alerts, which indicate suspicious log-in patterns from anonymous proxies, often coinciding with data searching and downloading activities across Microsoft 365 applications.
To tackle these threats effectively, Microsoft has warned organizations to consider the entire recruiting and onboarding process as part of their attack surface. They recommend fusing Human Resources telemetry with security monitoring to better anticipate and counteract these kinds of infiltrations. Organizations should enable relevant connectors within Defender for Cloud Apps, correlate activities of external candidates with threat intelligence related to Jasper Sleet, and rigorously investigate any anomalies that arise in new-hire accounts.
Furthermore, it is crucial for Security and HR teams to conduct training sessions aimed at equipping staff with the skills necessary to recognize social engineering tactics that could indicate fraudulent intentions among candidates. By leveraging Microsoft’s threat analytics and maintaining awareness of the evolving threat landscape posed by Jasper Sleet, companies can better position themselves against this sophisticated deception in the hiring process.
In summary, as the threat landscape continues to evolve, organizations must remain vigilant and proactive in their hiring practices. By understanding and mitigating the risks associated with remote hiring, businesses can protect themselves from the emerging tactics employed by groups like Jasper Sleet.